Security
A PostgreSQL flaw
An announcement of possibly insecure practices in user-defined PostgreSQL functions seems at first blush to be a fairly straightforward advisory; a deeper look reveals some serious implications. It is a problem that echoes a textbook security hole in UNIX setuid programs; it would appear that the developers did not consider that history when adding a setuid-like capability to PostgreSQL. Unfortunately, it also appears that the fix that the advisory recommends is not up to the task of resolving the issue. Anyone using SECURITY DEFINER functions in PostgreSQL probably has quite a large job ahead of them to clear up this particular mess.
PostgreSQL functions can be be declared as "SECURITY DEFINER" functions, which causes them to run with the privileges of the owner rather than those of the invoker. PostgreSQL binds the operators and functions called at runtime and searches each element in the schema path to find them. Unfortunately, the user invoking the function can control the schema search path and, by defining operators or other functions that are used by the SECURITY DEFINER function, the invoker can run any code with the permissions of the owner.
The once common, now hopefully largely eradicated, UNIX parallel was a vulnerability in setuid programs that invoked other programs via exec(). If the program did not either sanitize its PATH environment variable or fully specify the path to the executable, it was vulnerable to attackers who would put their own code in the path, with the same name as the executable, ahead of the standard program. When the setuid program executed, it would grab the wrong binary and the attacker could run arbitrary code with the permissions of the owner of the setuid program. Another important requirement is that all elements of the sanitized PATH and the directory of the binary are not writable by non-privileged users.
So, much like the solution to the UNIX issue, the advisory suggests that SECURITY DEFINER functions specify a sanitized schema path. The equivalent to a fully specified path is not recommended as it is "likely to induce mistakes and will furthermore make the source code harder to read and maintain." Unfortunately, it turns out that because of the way PostgreSQL processes the function definitions, the only solution is to schema-qualify each and every function and operator reference in the function. In addition, setting a schema search path in a function is not local to the function, it changes the global search path for the whole program; functions that do this should restore the original search path on exit.
It turns out that the references in a function are resolved as PostgreSQL creates an execution plan for the function. This is prior to actually executing the "set search path" operation in the function and so it will bind to functions and operators in the user controlled schema path as described here. The only alternative is the laborious and error-prone task of schema-qualifying function and operator references in SECURITY DEFINER functions.
This is a very unfortunate outcome for a feature that was meant to promote more secure database usage. The idea is to separate the database privileges into different users but to still allow users with few privileges to perform a restricted set of privileged operations. It is surprising that the UNIX setuid issues from the dawn of time_t were not more closely studied when this feature was implemented. It would also seem that the PostgreSQL developers will need to rework how the execution plan and search path interact to fix this design flaw.
New vulnerabilities
clamav: directory traversal, denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-0897 CVE-2007-0898 | ||||||||||||||||
| Created: | February 20, 2007 | Updated: | March 7, 2007 | ||||||||||||||||
| Description: | Clam AntiVirus ClamAV before 0.90 does not close open file descriptors
under certain conditions, which allows remote attackers to cause a denial
of service (file descriptor consumption and failed scans) via CAB archives
with a cabinet header record length of zero, which causes a function to
return without closing a file descriptor. (CVE-2007-0897)
Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before 0.90 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the id MIME header parameter in a multi-part message. (CVE-2007-0898) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
ekiga: format string vulnerability
| Package(s): | ekiga | CVE #(s): | CVE-2007-1006 CVE-2007-0999 | ||||||||||||||||||||||||||||||||||||||||
| Created: | February 21, 2007 | Updated: | March 30, 2007 | ||||||||||||||||||||||||||||||||||||||||
| Description: | Ekiga contains a format string vulnerability in the code which processes
control messages from remote peers.
If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user's privileges. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
fail2ban: denial of service
| Package(s): | fail2ban | CVE #(s): | CVE-2006-6302 | ||||
| Created: | February 16, 2007 | Updated: | July 30, 2007 | ||||
| Description: | fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address. | ||||||
| Alerts: |
| ||||||
gnomemeeting: format string flaw
| Package(s): | gnomemeeting | CVE #(s): | CVE-2007-1007 | ||||||||||||
| Created: | February 20, 2007 | Updated: | March 5, 2007 | ||||||||||||
| Description: | A format string flaw was found in the way GnomeMeeting processes certain messages. If a user is running GnomeMeeting, a remote attacker who can connect to GnomeMeeting could trigger this flaw and potentially execute arbitrary code with the privileges of the user. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gnucash: temporary file vulnerability
| Package(s): | gnucash | CVE #(s): | CVE-2007-0007 | ||||||||
| Created: | February 21, 2007 | Updated: | February 27, 2007 | ||||||||
| Description: | Gnucash (2.0.4 and prior) suffers from a set of symbolic link vulnerabilities. | ||||||||||
| Alerts: |
| ||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-0007 CVE-2007-0006 | ||||||||||||||||||||||||||||
| Created: | February 15, 2007 | Updated: | November 14, 2007 | ||||||||||||||||||||||||||||
| Description: | Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service vulnerability. A remote attacker can cause the key_alloc_serial function's key serial number collision avoidance code to have a null dereference, resulting in a crash. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
MoinMoin: cross-site scripting and information leak
| Package(s): | moin moinmoin | CVE #(s): | CVE-2007-0901 CVE-2007-0902 | ||||
| Created: | February 21, 2007 | Updated: | February 21, 2007 | ||||
| Description: | MoinMoin suffers from a pair of vulnerabilities. An attacker who tricks a MoinMoin user into viewing a specially-crafted URL can execute arbitrary JavaScript with the user's privileges. There is also an information disclosure vulnerability which can tell an attacker about the versions of software running on the system. | ||||||
| Alerts: |
| ||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2007-0906 CVE-2007-0907 CVE-2007-0908 CVE-2007-0909 CVE-2007-0910 CVE-2007-0988 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 20, 2007 | Updated: | March 21, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A number of buffer overflow flaws were found in the PHP session extension,
the str_replace() function, and the imap_mail_compose() function.
If very long strings under the control of an attacker are passed to the
str_replace() function then an integer overflow could occur in memory
allocation. If a script uses the imap_mail_compose() function to create a
new MIME message based on an input body from an untrusted source, it could
result in a heap overflow. An attacker who is able to access a PHP
application affected by any these issues could trigger these flaws and
possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906)
If unserializing untrusted data on 64-bit platforms, the zend_hash_init() function can be forced to enter an infinite loop, consuming CPU resources for a limited length of time, until the script timeout alarm aborts execution of the script. (CVE-2007-0988) If the wddx extension is used to import WDDX data from an untrusted source, certain WDDX input packets may allow a random portion of heap memory to be exposed. (CVE-2007-0908) If the odbc_result_all() function is used to display data from a database, and the contents of the database table are under the control of an attacker, a format string vulnerability is possible which could lead to the execution of arbitrary code. (CVE-2007-0909) A one byte memory read will always occur before the beginning of a buffer, which could be triggered for example by any use of the header() function in a script. However it is unlikely that this would have any effect. (CVE-2007-0907) Several flaws in PHP could allows attackers to "clobber" certain super-global variables via unspecified vectors. (CVE-2007-0910) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spamassassin: denial of service
| Package(s): | spamassassin | CVE #(s): | CVE-2007-0451 | ||||||||||||||||||||||||||||
| Created: | February 16, 2007 | Updated: | March 14, 2007 | ||||||||||||||||||||||||||||
| Description: | Version 3.1.8 of Spamassassin fixes some bugs and a malformed HTML denial of service vulnerability. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
sun-jdk: arbitrary code execution
| Package(s): | sun-jdk | CVE #(s): | CVE-2007-0243 | ||||||||||||||||
| Created: | February 19, 2007 | Updated: | April 25, 2007 | ||||||||||||||||
| Description: | A anonymous researcher discovered that an error in the handling of a GIF image with a zero width field block leads to a memory corruption flaw. An attacker could entice a user to run a specially crafted Java applet or application that would load a crafted GIF image, which could result in escalation of privileges and unauthorized access to system resources. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>