Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. Problems this week include arbitrary code execution in Twig, new symlink attacks, a hidden control code attack on Midnight Commander, and a LANGUAGE attack on
Twig, a popular web mail system that was once named Muppet, has a vulnerability that can lead to the execution of arbitrary code on your web server. There is a problem with the virtual hosting setup in Twig that can allow an attacker to cause a remote file to be loaded and executed. At this time there does not seem to be an official fix for this problem. But a workaround has been posted that says to add:
to the top of
Midnight Commander is a file manager for Unix machines. Carefully crafted directory names with control codes in them can cause Midnight Commander to execute keystroke commands. If the directory name is long enough, Midnight Commander will not display the entire name. This can allow an attacker to hide the control codes. There is no fix out for this at this time, and it is recommended that Midnight Commander not be used on multiuser systems or by root.
There is also a denial of service attack in the cons.saver screen saver that is included in the Midnight Commander package. When it is started, it does not check to see if it is started with a valid
stdout. This has been fixed in version 4.5.42-11.
Vulnerabilities this week:
glibc library has a LANGUAGE environmental variable vulnerability that can be exploited through the
su command. It was reported to affect Red Hat 6.2, 6.1, SuSE 6.2, and Debian GNU/Linux Potato 2.2. It is reported that this vulnerability was fixed in glibc-2.1.3-12 and is incorporated into Debian GNU/Linux Potato (2.2r1). You should check with your vendor for an updated glibc newer than 2.1.3-12.
A security enhanced version of the GNU Locate,
slocate, has a problem that can reveal the location of private files to an unauthorized user. Early versions had a buffer overflow that occurred when the user provided an invalid database as a command line parameter. There is also a problem with
slocate not dropping privileges that can also lead to a user being able to view the location of private files. For many systems, a user being able to view the location of files will not be a problem. If this is a problem, you may want to turn off
slocate until a patch is released.
A buffer overflow in the
ident shipped with SuSE Linux can cause the
identd daemon to fail. This can cause a denial of service for services that rely on the
identd daemon. At this time, no fix has been released for this. If you are not using the
identd daemon, then you should turn it off. Otherwise, watch your vendor for an update.
ed, a line-based text editor, creates temporary files unsafely. This can allow a malicious user to read or write arbitrary files belonging to the user who is executing
ed. Upgrading to a version newer than 0.2-18.1 will fix this problem.
A tool to quickly run remote commands over rsh, ssh, and lsh,
fsh is vulnerable to a symlink attack. When
fsh starts it creates its sockets in a directory under the
/tmp directory. It checks the directory to make sure that the user running
fsh owns it. But is still vulnerable to a race condition attack on this directory. This has been fixed in Debian GNU/Linux with
fsh version 1.0.post.1-3potato.
Sun's JDK/JRE (Java Development Kit/Java Runtime Environment) versions prior to Java 2 Standard Edition SDK v 1.3, including HotSpot 1.0 and 1.0.1, can allow an untrusted Java class to call into a disallowed class. This can create a security issue in code using the JRE to execute it. There are many commercial software packages for Unix systems that use the JRE to interpret their code. Sun recommends that you upgrade to the latest JDK/JRE releases. Specifically, they recommend that for Solaris you upgrade to versions JDK/JRE 1.2.2_06 or JDK/JRE 1.1.8_12 and for Linux you upgrade to JDK/JRE 1.2.2_006.
ptrace can be used to trace unreadable files. Using
ptrace, you can trace any executable that you have execute rights to. This can allow a local user to dump the memory of a program and read its contents. This is just one more reminder against security through obscurity.
Majordomo, a mailing list manager package, under some conditions can leave its passwords exposed. When Majordomo checks the admin password, it first compares it to the line in the config file. If this does not match, it tries to open the password as a file. So if the password is in a separate file, there are two valid passwords. Many tutorials have recommended that you store passwords in a separate file named after the list. Doing this makes the password very easy to guess. It is recommended that you move the passwords into the config files.
IBM's Net.Data package can be used to disclose system paths and file locations. It is often used in conjunction with NetCommerce3 and db2www. While not a major security problem, it can be used by an attacker to gather information about a system while planning an attack.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Discuss this article in the O'Reilly Network Linux Forum.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.