Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in the Linux kernel, sudo, TWiki,
phpBB, cscope, Cyrus IMAP, Bugzilla, ProZilla, unarj, libxml2, and fetch.
The Linux kernel's ELF binary loader contains multiple errors that may, under some conditions, be exploitable by a local unprivileged user to execute arbitrary code with root permissions. These errors are reported to affect versions of the Linux kernel including 2.4 through 2.4.27, and 2.6 through 2.6.8. Code to automate the exploitation of this vulnerability has been released to the public.
It is recommended that all affected Linux servers be upgraded to a repaired kernel as soon as possible.
sudoThe sudo command allows a permitted user to execute a command as the superuser
or as another user, as specified in the sudoers file. sudo reportedly does not
clean Bash functions and the CDPATH variable when it executes the authorized
command. Under some conditions, this can be abused by any user authorized to
use sudo to execute arbitrary commands or code with the addition permissions
granted by sudo.
All affected users should watch their vendors for a repaired version of sudo
and should consider disabling sudo until it has been repaired. Anyone that
uses sudo to grant a user partial but not complete root access should keep
in mind that this type of application is notoriously difficult to completely
secure, and should consider alternatives to giving an untrusted user access
to superuser-level authority. Debian is reported to have released a repaired
version of sudo.
The web-based groupware tool TWiki does not properly escape shell meta-characters in the code that handles searches. This bug may be trivially exploited by a remote attacker to execute arbitrary shell commands on the server with the permissions of the user running the web server. A script to automate the exploitation of this vulnerability has been released to the public.
The maintainers of TWiki recommend that all users upgrade to the latest patched production release or apply the available patches.
phpBBphpBB, an open source, web-based bulletin board system, is reported to be vulnerable
to several bugs that, under some conditions, can be exploited by a remote attacker
to execute arbitrary code with the permission of the web server, or to execute
arbitrary SQL commands on phpBB's database server.
It is recommended that all users of phpBB upgrade to version 2.0.11 or newer
as soon as possible.
cscopeThe C source-code browser cscope is reported to be vulnerable to a temporary-file symbolic link race condition that may be exploited by a local attacker
to overwrite arbitrary files on the system with the permissions of the victim's
account. This vulnerability is reported to affect all versions of cscope earlier
than 15.5.
Users of cscope should watch for a repaired version and decide if their acceptable
level of risk will allow them to use cscope prior to its update.
The Cyrus IMAP daemon is reported to contain several buffer overflows that may,
under some conditions, be exploited remotely and result in arbitrary code being
executed with root permissions. The buffer overflow is located in the code
that parses the partial and fetch commands. There is also an additional buffer
overflow vulnerability that may be exploitable when the system runs out of
memory.
All users of Cyrus IMAP should watch their vendors for an updated version.
The web-based bug-tracking system Bugzilla is vulnerable to several bugs that can be exploited by a remote attacker to make unauthorized changes to a bug, or that can result in private information being leaked to an unauthorized user. These problems are reported to affect all versions of Bugzilla earlier than 2.16.7.
The Bugzilla team recommends that all users upgrade to version 2.16.7 or newer as soon as possible.
ProZilla, a download accelerator, is vulnerable to several buffer overflows that may, under some conditions, result in arbitrary code being executed with the victim's permissions.
As it has been reported that this package is no longer being maintained by its author, users should consider switching to an alternative download accelerator.
unarjThe unarj ARJ-archive decompression utility is reported to contain a buffer
overflow in the code that handles file names stored in an archive. This buffer overflow may
be exploitable to execute arbitrary code with the victim's permissions, and a
directory traversal bug may be exploitable to overwrite arbitrary files
or directories with the victim's permissions. Both of these bugs are exploited
by creating a carefully crafted archive file and then convincing the user to
uncompress it using the unarj utility.
Users should exercise great care when opening any archive from an untrusted
source. They should also watch their vendors for a repaired version of unarj.
libxml2The XML parsing library libxml2 is reported to be vulnerable to several buffer
overflows that, under some circumstances, may be exploitable by a remote attacker
and used to execute arbitrary code on the server with the permissions of the
web server.
All users of libxml2 should upgrade to version 2.6.16 or newer.
fetchfetch is a command-line utility used to download files using the FTP, HTTP,
and HTTPS protocols. A buffer overflow that has been found in the fetch command can be exploited by a remote attacker who controls a web server that the
victim has connected to using fetch. Exploiting this buffer overflow could result
in code being executed on the victim's machine.
It is recommended that fetch not be used until it has been updated.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to LinuxDevCenter.com
Copyright © 2009 O'Reilly Media, Inc.