Problems in OpenSSH, Sudo, and Javaby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in OpenSSH, Sudo, Sun Java, Blackdown
cpio, JBOSS, Adobe Reader and Acrobat,
gedit, Gaim, and Trac.
- Sun and Blackdown Java
- Adobe Reader and Adobe Acrobat
A problem has been reported in OpenSSH's
scp command that may, under some
conditions, result in arbitrary files being written on the local machine when
scp is used to copy files from a malicious server. All versions of OpenSSH
prior to version 3.4p1 are reported to be vulnerable to this problem.
Users should upgrade to version 3.4p1 of OpenSSH as soon as possible. Upgraded packages are known to be available from SuSE, Conectiva, Mandriva (formerly known as Mandrake), and Red Hat.
Sudo is a utility that allows a list of permitted users to execute commands as the superuser or another user. Sudo is reported to be vulnerable to a race condition in the code that handles a commands path. This vulnerability could be exploited to allow a user who is authorized to run one command as root to execute any command as root. Version 1.3.1 through 1.6.8p8 of Sudo have been reported to be affected.
Users of Sudo should keep in mind that creating a utility to allow users to perform a limited number of commands with root permissions without causing a security problem is, at best, a very difficult task. Anyone using Sudo on his or her system should carefully consider the benefits and risks. If Sudo is used, a careful watch for vulnerabilities should be kept.
All users of Sudo should upgrade to version 1.6.8p9 or newer as soon as possible.
Sun and Blackdown Java
Both Sun's and Blackdown's Java Runtime Environment (JRE) and Java Development Kit (JDK) are vulnerable to an attack that can be exploited to run arbitrary Java code with the permissions of the victim when the victim views a web page containing an untrusted applet.
Sun JDK and JRE users should upgrade to 1.4.2.08 or newer. Blackdown JDK and JRE users should upgrade to 1.4.2.02 or newer.
tcpdump network sniffer has a bug in its
bgp_update_print() function that
may be exploitable by a remote attacker in a denial-of-service attack against
Affected users should watch their vendors for a repaired version of
Repaired packages for Mandrake Linux 10.1 and 10.2 have been released.
The archiving utility
cpio is used to copy files into or out of
archives. A flaw in
cpio's handling of
cpio archive files can be exploited
by a remote attacker to overwrite arbitrary files on the system that are writable
by the victim. The attacker carefully creates a
cpio archive that he or she then convinces
the victim to open using
cpio should watch their vendors for a repaired version. Gentoo Linux
has released a repaired
JBOSS is a J2EE-1.4-certified Java application server that is written in Java. It has been reported that JBOSS can be manipulated into providing an attacker information, such as the path it is installed under. In version 4.0.2, an attacker can view all of JBOSS's configuration information, including security configurations.
Users of JBOSS should watch for a solution to this problem.
Also in Security Alerts:
Adobe Reader and Adobe Acrobat
A flaw in the way Adobe Reader and Adobe Acrobat handle embedded XML scripts means that a remote attacker can create a PDF file that, when viewed by the victim, can read local files and send information back to the attacker. Adobe reports that Adobe Reader 7.0 and 7.0.1 and Adobe Acrobat 7.0 and 7.0.1 are vulnerable to this flaw.
gedit, the Gnome text editor, is reported to be vulnerable to a format-string-based vulnerability in code that handles the file name being opened by
If this vulnerability is successfully exploited, it results in arbitrary
code being executed with the permissions of the victim. It may be possible
that an email client or web browser could be manipulated into opening
with a attacker-specified filename that exploits this vulnerability.
Users should upgrade the
gedit packages as soon as they become available from vendors. Mandrake, Red Hat, and Gentoo have released repaired packages.
The instant messaging client Gaim is available for Linux, BSD, Mac OS X, and Windows. Gaim supports many different messaging protocols, including those of the AIM and ICQ (Oscar protocol), MSN Messenger, Yahoo, IRC, Jabber, Gadu-Gadu, SILC, GroupWise Messenger, and Zephyr networks. A remotely exploitable denial-of-service vulnerability in Gaim is caused by code that handles MSN packages. The denial of service is triggered when a MSN package has a misreported and invalid body length in its header.
In addition, when using the Yahoo protocol, a remote client can cause a denial-of-service condition by sending files with names containing non-ASCII characters.
All users of Gaim should upgrade to version 1.3.1 or newer. A package containing version 1.3.1 of Gaim is available from Mandriva Linux.
Trac is a wiki implementation that is integrated with Subversion and designed to help track problems and issues for a software development project. A bug in Trac can be exploited by a remote attacker to upload arbitrary files to the server running Trac and, under some conditions, can be exploited to execute arbitrary code.
It is recommended that all users of Trac upgrade to version 0.8.4 or newer as soon as possible.
Read more Security Alerts columns.
Return to LinuxDevCenter.com