Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at a Linux 2.4 kernel bug on AMD64 machines,
problems in Samba, changepassword.cgi, MPlayer, the MIT Kerberos 5 administration
library, logcheck, Sybase Adaptive Server Enterprise, Konqueror, Debian debmake,
Xpdf, and xzgv.
logcheckdebmakexzgvA bug in the 32-bit compatibility system-call handler in the AMD64 Linux 2.4 kernel can be trivially exploited by a local attacker to gain root permissions. This bug is not reported to affect Linux 2.6 kernels, or kernels compiled for other platforms.
Affected users should watch their vendors for an upgraded Linux kernel package and should upgrade as soon as one becomes available.
Samba is an open source server software package that provides file and print services to SMB/CIFS clients. It has been reported that Samba is vulnerable to several integer-based buffer overflows that, under some conditions, could be exploited by a remote attacker to execute arbitrary code on the server with, in many cases, root permissions.
Users should watch their vendors for repaired Samba packages or should upgrade to Samba 3.0.10 or later as soon as possible.
changepassword.cgi is a web-based Yellow Pages, Samba, and Squid password
changing script written in C. It is vulnerable to a local attack that can be
exploited to execute arbitrary code with root permissions. This vulnerability
is caused by the insecure use of the system() function call when it is used
to call the make command.
All users of changepassword.cgi should disable it until a secure version has been installed.
The Linux/Unix video player MPlayer supports many video formats, including
MPEG, VOB, AVI, Ogg/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM, NuppelVideo,
YUV4MPEG, FILM, RoQ, and PVA. Multiple buffer overflows have been reported
in MPlayer that may, under some conditions, be exploitable by a remote attacker
to execute code with the victim's permissions. These vulnerabilities include
buffer overflows in the Real RTSP, Real pnm, MMST streaming code, and in the
BMP demuxer and mp3lib code.
It is recommended that users of MPlayer watch their vendors for an updated package and consider not playing movies from untrusted sources until it has been repaired.
The MIT Kerberos 5 administration library libkadm5srv is vulnerable to a buffer-overflow-based attack that may be exploitable by a remote attacker to execute
arbitrary code on the host running the Kerberos Key Distribution Center. Successfully
exploiting this vulnerability compromises the entire Kerberos realm. An
administrator must have performed one of several specific password policy changes
and the attacker must be able to authenticate to Kerberos to exploit this vulnerability.
Users should apply the available patch or watch for a repaired version of Kerberos 5. A possible workaround is to increase any password history count on any policy that has been lowered below its prior maximum value.
logchecklogcheck is a utility that scans the system logs and mails the results of
the scan to the system administrator. logcheck is reported to be vulnerable
to a temporary-file symbolic-link race condition that may be exploitable by
a local attacker to overwrite arbitrary files on the system with root permissions.
Affected users should disable logcheck until it has been repaired.
The Sybase Adaptive Server Enterprise database server is reported to be vulnerable to several undisclosed vulnerabilities that were only described as "high risk."
These vulnerabilities are reported to be repaired in Sybase Adaptive Server Enterprise 12.5.3. Affected users should contact Sybase for additional information and recommendations.
The Konqueror web browser is reported to have a vulnerability in its Java and JavaScript code that could result in an untrusted Java applet escalating its permissions (escaping the sandbox). Under some conditions, this can result in files being read or written with the permissions of the user running the web browser.
The KDE maintainers recommend upgrading to KDE 3.3.2. Users of binary packages should watch their vendors for an upgraded or patched version of KDE that repairs this problem. Users should consider disabling Java in Konqueror until they have upgraded.
debmakeThe utility debmake distributed with Debian GNU/Linux contains a script named
debstd that is vulnerable to a temporary-file-symbolic-link-based attack that
can be exploited by a local attacker to overwrite arbitrary files with the
victim's permissions.
Affected users should upgrade to Debian 3.6.10.woody.1 or 3.77.
Xpdf is a PDF reader for Unix systems running the X Window System. A bug in
the Gfx::doImage() function can be exploited by a remote attacker who creates
a carefully crafted PDF file. If this file is opened by the victim, it will
cause a buffer overflow and result in arbitrary code being executed with the
victim's permissions.
A patch and repaired binaries to repair this problem have been released by the maintainers. Users should upgrade or watch their vendors for a repaired version. Users should exercise care over what files they download and open on their systems.
xzgvxzgv is an X-Window-system-based image viewing utility. A buffer overflow
in xzgv may, under some conditions, be exploitable by a remote attacker who creates
a carefully crafted image file that, when viewed with xzvg, will exploit the
buffer overflow and execute arbitrary code. The vulnerability is reported to
affect all versions through 0.8 (the latest version at the time of this writing).
The author of xzgv has released a patch as a temporary measure until there is a "more comprehensive fix."
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to LinuxDevCenter.com
Copyright © 2009 O'Reilly Media, Inc.