Temporary-File Race Conditionsby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at a collection of temporary-file race conditions,
and problems in Samba, GNU
sharutils, JRun, Subversion,
imlib, IBM AIX
YahooPOPs, and OpenOffice.org.
- Temporary-File Race Conditions
- JRun Server
- IBM AIX
Temporary-File Race Conditions
Trustix Security has identified the following packages as containing scripts
that are vulnerable to an attack based on a temporary-file, symbolic-link race condition:
netatalk. A temporary-file, symbolic-link race condition may,
under some circumstances, be exploitable by an attacker to overwrite arbitrary
files with the permissions of the user account executing the vulnerable script.
In addition, a temporary-file, symbolic-link race condition has been found in
the NetPBM and
Affected users should watch their vendors for a repaired version of the vulnerable package and should consider with care what scripts they execute on a multiuser system.
Some versions of Samba are reported to contain a vulnerability that may be exploitable by a remote attacker, who is authorized to access a shared file system, to access files located outside of the authorized directory tree that has been shared using Samba. Exploiting this vulnerability does not grant the attacker additional permissions; it only will allow viewing files outside of the shared path. This vulnerability is reported to affect versions of Samba including 2.2.11 and earlier and 3.0.5 and earlier. The vulnerability is caused by a bug in the code that converts DOS-based path names to Unix path names on the Samba host.
The Samba development team has released version 2.2.12 of Samba to repair this
problem and has released a patch for Samba 3.0.5 and earlier. A possible workaround is to set
wide links = no in the smb.conf configuration file.
The GNU shell archives package
sharutils is reported to contain buffer overflows
in the shar.c and unshar.c utilities. These buffer overflows may, under some
conditions, be exploited by an attacker to execute arbitrary code with the permissions
of the user running a script that executes a vulnerable command.
Users should watch their vendors for a repaired version of
sharutils and should
avoid executing untrusted scripts until these buffer overflows have been repaired.
Updated packages for Debian GNU/Linux and Gentoo Linux have been released.
Macromedia's JRun server, an application server compatible with Java 2 Enterprise Edition (J2EE), is vulnerable to a buffer overflow that can be exploited, under some conditions, by a remote attacker to execute arbitrary code with the permission of the user account the web server is running under. JRun is only vulnerable when verbose logging has been turned on in the web server's configuration file. JRun is reported to be vulnerable when running under the following web servers: Microsoft IIS (all versions), Netscape, IPlanet, SunOne (all versions), and Apache (all versions).
All users of JRun should apply the Cumulative Security Patch available from Macromedia as soon as possible. As a workaround, users can disable verbose reporting in their web servers' configuration files and restart their web servers.
The Subversion source code versioning system was created as a replacement for
the popular CVS system. A bug in Subversion's
mod_authz_svn Apache module can
be abused by a remote attacker to gather information about protected areas in
mod_authz_svn is an Apache module that provides path-based authentication
for Subversion repositories.
It is recommended that users upgrade to version 1.0.8 or 1.1.0-rc4 as soon as possible. This problem may be worked around by using Apache's access controls to prevent unauthorized access to specific directories.
imlib, an image-loading and -rendering library, contains buffer overflows in
the code that handles runlength-encoded bitmaps. Both
imlib2 are vulnerable
to an attack that uses a carefully crafted BMP file to exploit the buffer overflows
and execute arbitrary code with the permissions of the user executing the application
Users should watch their vendors for a repaired
imlib package. Conectiva Linux
has released upgraded packages that repair these buffer overflows.
ctstrtcasd is a setuid root application that is installed by default on recent
versions of IBM's AIX and is installed with the Reliable Scalable Cluster Technology
(RSCT) system, IBM Tivoli System Automation, IBM Cluster Systems Management,
IBM Hardware Management Console, and IBM General Parallel File System.
fails to verify the sanity of its trace file and will write, with root permissions,
65,535 bytes of trace data to any arbitrary file on the system.
It is recommended that users consider removing the set user id bit from
until it has been replaced with a repaired version.
YahooPOPs, an application running on Windows, Linux, Solaris, and Mac servers and provides simulated POP3 and SMTP access to Yahoo Mail, is reported to be vulnerable to multiple buffer overflows. The buffer overflows may be exploitable by a remote attacker and result in a denial of service or arbitrary code execution. A application to automate the exploitation of this vulnerability has been released to the public.
Users should consider disabling YahooPOPs until a repaired version has been released, or carefully restricting access to the application using a firewall.
OpenOffice.org uses the user's
umask to create temporary files. This can lead,
under some circumstances, to users obtaining and reading documents that
belong to other users.
An affected user should set his or her
umask to an appropriate value prior to starting
OpenOffice.org and should upgrade to a repaired version. Mandrake
has released updated OpenOffice.org packages for Mandrake Linux 10.0.
Read more Security Alerts columns.
Return to LinuxDevCenter.com