|
|
Subscribe / Log in / New account

Security

Brief items

Some interesting publicity

For today's amusement, let's look at this TechWeb article on patch management. In the middle of the article one finds:

But while Microsoft inevitably receives the bulk of security hole/patch attention, the problem extends to Linux/open-source code as well. Merrill Lynch, for example, reports that one of its Linux servers received three times as many updates as their Windows platform. Ironically, according to an observer at Continental Airlines, many of the attacks aimed at Windows vulnerabilities are written by Linux experts.

The first claim - that a given Linux server gets more updates than a given Windows server - could at least be verified. Whether the figure means anything is another story. Updates to a Linux system cover the vast array of packages available there. Many of them result from active code audits and fix obscure problems that are difficult to exploit. Of the large number of security problems fixed by Linux distributors each year, it is a good bet that most of them are never exploited to compromise even a single system. How many systems have you encountered that are threatened by any of these recently-patched problems?

  • The Hangul Terminal vulnerability ("Since it is not possible to embed a carriage return into the window title the attacker would then have to convince the victim to press 'Enter' for it to process the title as a command...")

  • Insecure temporary files in gzip. It is a local vulnerability, but the chances of it being used are very small.

  • The file vulnerability, which requires an attacker to convince the system administrator to run "file" on a specially-crafted file.

...and so on. It is good that these problems are being fixed, but they do not threaten most users. The updates to that Windows system, instead, are far more likely to be addressing serious vulnerabilities that are being actively exploited.

The second claim in the TechWeb article ("many of the attacks aimed at Windows vulnerabilities are written by Linux experts") requires a response. How, exactly, did they come by this information? It is, after all, rare for authors of malware to include their resumes with the code. This statement is pure slander which has been reported as fact. One can only hope that a correction will be forthcoming.

Comments (6 posted)

New vulnerabilities

atftp: buffer overflow

Package(s):atftp CVE #(s):CAN-2003-0380
Created:June 9, 2003 Updated:June 12, 2003
Description: Rick Patel discovered that atftpd is vulnerable to a buffer overflow when a long filename is sent to the server. An attacker could exploit this bug remotely to execute arbitrary code on the server. Read the full advisory for more information.
Alerts:
Debian DSA-314-1 atftp 2003-06-11
Gentoo 200306-03 atftp 2003-06-08

Comments (none posted)

eterm: buffer overflow

Package(s):eterm CVE #(s):
Created:June 9, 2003 Updated:June 12, 2003
Description: "bazarr" discovered that eterm is vulnerable to a buffer overflow of the ETERMPATH environment variable. This bug can be exploited to gain the privileges of the group "utmp" on a system where eterm is installed.
Alerts:
Debian DSA-309-2 eterm 2003-06-06
Debian DSA-309-1 eterm 2003-06-06

Comments (none posted)

gzip: insecure temporary files

Package(s):gzip CVE #(s):CVE-1999-1332 CAN-2003-0367
Created:June 9, 2003 Updated:June 16, 2003
Description: Paul Szabo discovered that znew, a script included in the gzip package, creates its temporary files without taking precautions to avoid a symlink attack (CAN-2003-0367).

The gzexe script has a similar vulnerability which was patched in an earlier release but inadvertently reverted.

Alerts:
Mandrake MDKSA-2003:068 gzip 2003-06-16
Gentoo 200306-05 gzip 2003-06-14
OpenPKG OpenPKG-SA-2003.031 gzip 2003-06-11
Debian DSA-308-1 gzip 2003-06-06

Comments (none posted)

hanterm: two vulnerabilities in Hangul Terminal

Package(s):hanterm CVE #(s):CAN-2003-0077 CAN-2003-0079
Created:June 6, 2003 Updated:June 11, 2003
Description: Hangul Terminal is a terminal emulator for the X Window System, based on Xterm.

Hangul Terminal provides an escape sequence for reporting the current window title, which essentially takes the current title and places it directly on the command line. An attacker can craft an escape sequence that sets the window title of a victim using Hangul Terminal to an arbitrary command and then report it to the command line. Since it is not possible to embed a carriage return into the window title the attacker would then have to convince the victim to press Enter for it to process the title as a command, although the attacker could craft other escape sequences that might convince the victim to do so.

In addition, it is possible to lock up Hangul Terminal before version 2.0.5 by sending an invalid DEC UDK escape sequence.

Alerts:
Yellow Dog YDU-20030607-2 hanterm-xf 2003-06-07
Red Hat RHSA-2003:070-01 hanterm 2003-06-06

Comments (none posted)

KDE: vulnerability in SSL implementation

Package(s):KDE CVE #(s):CAN-2003-0370
Created:June 6, 2003 Updated:June 11, 2003
Description: KDE versions 2.2.2 and earlier have a vulnerability in their SSL implementation that makes it possible for users of Konqueror and other SSL enabled KDE software to fall victim to a man-in-the-middle attack.
Alerts:
Red Hat RHSA-2003:192-01 KDE 2003-06-05

Comments (none posted)

mod_php: integer overflow

Package(s):mod_php php CVE #(s):
Created:June 9, 2003 Updated:June 12, 2003
Description: The PHP emalloc() function implements the error safe wrapper around malloc(). Unfortunately this function suffers from an integer overflow and considering the fact that emalloc() is used in many places around PHP source code, it may lead to many serious security issues. Read the full advisory.

The function str_repeat(string input, int multiplier) returns input repeated multiplier times. The implementation of this function suffers from a simple integer overflow caused by a very long second argument and could allow a local/remote attacker in the worst case to gain control over the web server. Read the full advisory.

The function array_pad(array input, int pad_size, mixed pad_value) returns a copy of the input padded to size specified by pad_size with pad_value. Unfortunately the implementation of this function suffers from an integer overflow caused by a very long second argument and could allow a local/remote attacker in the worst case to gain control over the web server. Read the full advisory.

Alerts:
Gentoo 200306-02 mod_php 2003-06-08

Comments (none posted)

XaoS: improper setuid-root execution

Package(s):xaos CVE #(s):
Created:June 9, 2003 Updated:June 11, 2003
Description: XaoS, a program for displaying fractal images, is installed setuid root on certain architectures in order to use svgalib, which requires access to the video hardware. However, it is not designed for secure setuid execution, and can be exploited to gain root privileges.
Alerts:
Debian DSA-310-1 xaos 2003-06-08

Comments (none posted)

Resources

LinuxSecurity.com newsletters

The latest Linux Advisory Watch and Linux Security Week newsletters from LinuxSecurity.com are available.

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds