User: Password:
Subscribe / Log in / New account


Brief items

cdrecord trouble

September 15, 2004

This article was contributed by Jake Edge.

Making sweeping statements about the security of a particular program can come back to haunt you rather quickly as the recent case of a local root exploit in cdrecord demonstrates. During a discussion of recent changes in the 2.6 Linux kernel (as covered by LWN), Jörg Schilling, the author of cdrecord, made a comment about the security of that program:

Judging from the number of reports, I would guess that the Linux kernel is much more insecure than cdrecord.

That statement could well be true, but in making it, Jörg may have inspired someone to take a closer look at cdrecord. Max Vozeler recently found that cdrecord fails to drop privileges when it executes an external program, and that users can specify which external program is run via the RSH environment variable. If cdrecord is installed setuid root, any local user can exploit this vulnerability to gain root access; multiple exploits have already been posted on bugtraq.

Jörg recommends installing cdrecord as a setuid root. cdrecord uses the elevated privileges to lock its buffers into physical memory and to request real-time scheduling, both of which reduce the chances of a buffer underrun. In addition, cdrecord opens the SCSI device before dropping privileges back to that of the user who executed it. In the case of a remote device, it executes the command to access that device, but prior to this bug being fixed, it did that with elevated privileges.

Other means for allowing non-root users to burn CDs do exist, but they are less secure, according to Jörg:

What some people did (chmod on /dev/ entries) was definitely always a bigger security risk than running cdrecord suid root.

Another alternative, which is used by some distribution vendors (notably Red Hat and SuSE), is to disallow non-root users from burning CDs; clearly this is the most secure choice, but can be inconvenient for users and system administrators. Many administrators and some CD burning front end programs override this choice and, in this case, that could lead to a large security hole that may not be patched by the distribution. To avoid this possibility, some distributions have issued cdrecord updates even though they do not install the program in a setuid mode; see the LWN vulnerability entry for the current list.

Jörg has fixed this bug in the most recent version of his cdrtools package (2.01a38, available from his cdrecord page).

Comments (3 posted)

Mozilla, Firefox, and Thunderbird security issues

The announcements for the new releases from the Mozilla project discussed new features at length, but were silent on one other point: those releases include fixes for a number of security vulnerabilities, some of which can lead to remote code execution. See this list of fixed vulnerabilities for several good reasons to upgrade.

Comments (none posted)

New vulnerabilities

apache2: IPv6 denial of service

Package(s):httpd apache2 CVE #(s):CAN-2004-0747 CAN-2004-0751 CAN-2004-0786 CAN-2004-0809
Created:September 15, 2004 Updated:October 6, 2004
Description: Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux.
Debian DSA-558-1 libapache-mod-dav 2004-10-06
Trustix TSLSA-2004-0047 apache, 2004-09-16
Mandrake MDKSA-2004:096 apache2 2004-09-15
Gentoo 200409-21 apache 2004-09-16
Fedora FEDORA-2004-308 apr-util 2004-09-16
Fedora FEDORA-2004-307 apr-util 2004-09-16
SuSE SUSE-SA:2004:032 apache2 2004-09-15
Red Hat RHSA-2004:463-01 httpd 2004-09-15

Comments (none posted)

cups: denial of service

Package(s):cups cupsys CVE #(s):CAN-2004-0558
Created:September 15, 2004 Updated:October 14, 2004
Description: Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port.
Conectiva CLA-2004:872 cups 2004-10-14
Fedora FEDORA-2004-275 cups 2004-09-28
Slackware SSA:2004-266-01 cups 2004-09-22
Whitebox WBSA-2004:449-01 CUPS 2004-09-20
Gentoo 200409-25 cups 2004-09-20
SuSE SUSE-SA:2004:031 cups 2004-09-15
Red Hat RHSA-2004:449-01 CUPS 2004-09-15
Mandrake MDKSA-2004:097 cups 2004-09-15
Debian DSA-545-1 cupsys 2004-09-15

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Fedora-Legacy FLSA:2005 gdk-pixbuf 2005-02-23
Conectiva CLA-2004:875 gtk+ 2004-10-18
Slackware SSA:2004-266-02 gtk+ 2004-09-22
Gentoo 200409-28 gtk+ 2004-09-21
Mandrake MDKSA-2004:095-1 gdk-pixbuf/gtk+2 2004-09-17
SuSE SUSE-SA:2004:033 gtk2, 2004-09-17
Debian DSA-549-1 gtk+2.0 2004-09-17
Red Hat RHSA-2004:447-02 gdk-pixbuf 2004-09-15
Debian DSA-546-1 gdk-pixbuf 2004-09-16
Red Hat RHSA-2004:466-01 gtk2 2004-09-15
Red Hat RHSA-2004:447-01 gdk-pixbuf 2004-09-15
Mandrake MDKSA-2004:095 gdk-pixbuf 2004-09-15
Fedora FEDORA-2004-289 gtk2 2004-09-15
Fedora FEDORA-2004-288 gtk2 2004-09-15
Fedora FEDORA-2004-287 gdk-pixbuf 2004-09-15
Fedora FEDORA-2004-286 gdk-pixbuf 2004-09-15

Comments (none posted)

OpenOffice: information disclosure

Package(s) CVE #(s):CAN-2004-0752
Created:September 15, 2004 Updated:October 20, 2004
Description: contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files.
Gentoo 200410-17 openoffice 2004-10-20
Mandrake MDKSA-2004:103 2004-09-27
Red Hat RHSA-2004:446-01 2004-09-15

Comments (none posted)

Samba: Denial of Service vulnerabilities

Package(s):samba CVE #(s):CAN-2004-0807 CAN-2004-0808
Created:September 13, 2004 Updated:September 22, 2004
Description: There is a defect in smbd's ASN.1 parsing. A bad packet received during the authentication request could throw newly-spawned smbd processes into an infinite loop (CAN-2004-0807). Another defect was found in nmbd's processing of mailslot packets, where a bad NetBIOS request could crash the nmbd process (CAN-2004-0808). See this advisory for details.
Red Hat RHSA-2004:467-01 samba 2004-09-22
OpenPKG OpenPKG-SA-2004.040 samba 2004-09-15
Trustix TSLSA-2004-0046 kernel, 2004-09-14
Slackware SSA:2004-257-01 samba 2004-09-13
Mandrake MDKSA-2004:092 samba 2004-09-13
Fedora FEDORA-2004-305 samba 2004-09-13
Fedora FEDORA-2004-304 samba 2004-09-13
Gentoo 200409-16 samba 2004-09-13

Comments (none posted)

SUS 2.0.2 local root vulnerability

Package(s):SUS CVE #(s):
Created:September 14, 2004 Updated:September 15, 2004
Description: SUS is a suid root program that allows ordinary users the execution of certain programs with superuser privileges. SUS is run by default as setuid root. A simple format string bug in the log() function allows any local user to gain root privileges. See this BugTraq advisory for more information.
Gentoo 200409-17 sus 2004-09-14

Comments (none posted)

Webmin, Usermin: Multiple vulnerabilities in Usermin

Package(s):webmin usermin CVE #(s):CAN-2004-0559
Created:September 13, 2004 Updated:September 23, 2004
Description: There is an input validation bug in the webmail feature of Usermin. Additionally, the Webmin and Usermin installation scripts write to /tmp/.webmin without properly checking if it exists first.

The first vulnerability allows a remote attacker to inject arbitrary shell code in a specially-crafted e-mail. This could lead to remote code execution with the privileges of the user running Webmin or Usermin.

The second could allow local users who know Webmin or Usermin is going to be installed to have arbitrary files be overwritten by creating a symlink by the name /tmp/.webmin that points to some target file, e.g. /etc/passwd.

Mandrake MDKSA-2004:101 webmin 2004-09-22
Debian DSA-544-1 webmin 2004-09-14
Gentoo 200409-15 usermin 2004-09-12

Comments (none posted)


September CRYPTO-GRAM newsletter

Bruce Schneier's CRYPTO-GRAM newsletter for September is out. Covered topics include Beyond Fear, travel security, olympic security, and the attacks against MD5 and SHA. "The techniques described by the researchers are likely to have other applications, and we'll be better able to design secure systems as a result. This is how the science of cryptography advances: we learn how to design new algorithms by breaking other algorithms. Additionally, algorithms from the NSA are considered a sort of alien technology: they come from a superior race with no explanations. Any successful cryptanalysis against an NSA algorithm is an interesting data point in the eternal question of how good they really are in there."

Full Story (comments: 5)

New CERT key

CERT has gone through its annual PGP key change; click below for the new public key.

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds