Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at buffer overflows in Squid,
mod-ssl, the Solaris Volume Manager, ATPhttpd, iPlanet, and
kcms_configure; and problems in the CDE ToolTalk Database Server, the
nn, Icecast, NcFTP, and Sharp's Zaurus handheld computer.
The ToolTalk Database Server component of the Common Desktop Environment (CDE) has a flaw that may be exploitable by a remote attacker to create or delete files and execute arbitrary commands or code.
The Tooltalk server is also vulnerable to a symbolic-link race condition attack that can be exploited by a local attacker to create or write to arbitrary files as the root user. It is possible that this vulnerability can be used to obtain increased privileges.
Users should watch their vendor for an update that repairs these flaws, and should consider disabling the CDE ToolTalk Database Server, or blocking connections to the service using a firewall and limiting access to the server.
It has been reported that, under some circumstances, the Squid proxy server can forward the proxy authentication credentials improperly. This is reported to occur when the proxy server is configured to require a login to connect to some sites but not others. This is reported to affect versions 2.4.STABLE6 and earlier of Squid.
In addition, several buffer overflows and other problems have been
reported in Squid including: buffer overflows in the MSNT auth helper,
several buffer overflows in the
gopher client, a problem in the FTP
data channel, and possible buffer overflows when parsing FTP
A patch has been released that restricts the forwarding to sites that
are configured as
cache_peers. A suggested workaround is that if
authentication is required on any sites, it be required for all sites.
Users should watch their vendor for an updated version of Squid.
The Apache module
mod-ssl has a problem in its handling of
files that may result in a buffer overflow that can be exploited by an
attacker to execute arbitrary code with the permission of the user
running the Web server.
Users should upgrade to a repaired version of
mod-ssl as soon as
possible. A possible workaround is to set
This workaround will affect all
.htaccess file directives and may have unforeseen effects.
The Solaris Volume Manager
vold is vulnerable to a buffer overflow
that can be exploited, under some conditions, by a local attacker to
execute arbitrary code as the user running
vold (normally, root).
Users should apply the patch available from Sun as soon as possible.
The Linux kernel is vulnerable to a denial-of-service attack based on opening all of the available file descriptors, including the reserved file descriptors. This problem is reported to affect Linux 2.4.x kernels.
This problem can be mitigated by enforcing user resource allocation
limits and by increasing the number of reserve descriptors by changing the value of
The Usenet news reader
nn is vulnerable to a format-string-based
attack by malicious news servers that can be used to execute code on
the client's machine.
It is recommended that users upgrade to version 6.6.4 of
nn as soon as possible.
The Icecast streaming audio server has a directory-traversal vulnerability that can be used to gather information about the file systems outside the Web root.
It is recommended that users watch for a repair for this vulnerability.
NcFTP, an FTP client, will honor
PORT commands when being used
through a proxy server. Under some conditions, this can be exploited
by an attacker that controls the proxy server to hijack the FTP
Affected users should upgrade NcFTP to the latest available version as soon as possible.
ATPhttpd is a small caching Web server designed for serving a large amount of static content very quickly. ATPhttpd is vulnerable to several buffer overflows that can be used by a remote attacker to execute arbitrary code with the permissions of the user running ATPhttpd.
Users should watch their vendor for an update to ATPhttpd.
It is reported that the Linux-based Sharp Zaurus handheld computer has a vulnerability that can be exploited to gain complete control over the Zaurus file system. The Zaurus uses FTP to sync with a PC, and this FTP interface is bound to every network interface configured on the device. The FTP interface runs with root permissions and does not authenticate connections. This leaves any device that uses ethernet or PPP for a network connection vulnerable to attack.
Affected users should protect their device by connecting behind a firewall. Users should also watch for an update that corrects this problem.
The iPlanet Web server is vulnerable to a buffer overflow in the search component that can be exploited remotely to execute arbitrary code with the permissions of the user running the Web server. The default installation of iPlanet does not enable the search component.
It is recommended that users contact Sun for a patch for this problem.
An exploit program has been released that automates the exploitation of a buffer overflow in the Solaris application
both SPARC and X86 architectures.
kcms_configure is part of the
Kodak Color Management System and is installed set user id root. This
is an old vulnerability, fixed in Sunsolve patch 111400-01.
Users should check their system and verify that Sunsolve patch
111400-01 has been applied. Users should also consider removing the
set user id bit from
kcms_configure if it is not needed.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.