Problems in PCRE, the Linux Kernel, and SILC

Listen Print

Problems in PCRE, the Linux Kernel, and SILC

by Noel Davis
09/15/2005

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in PCRE, the Linux kernel, SILC, Frox, MPlayer, pam_ldap, maildrop, lm_sensors, simpleproxy, backup-manager, Adobe Version Cue, phpGroupWare, and webcalendar.

PCRE
Linux Kernel Problems
SILC
Frox
MPlayer
pam_ldap
maildrop
lm_sensors
simpleproxy
backup-manager
Adobe Version Cue
phpGroupWare
webcalendar

PCRE

PCRE, the Perl Compatible Regular Expressions library, is vulnerable to a buffer overflow that could result in arbitrary code being executed with the permissions of the user running the application linked against the library. PCRE is reported to be used by Analog, Python, PHP, gnumeric, KDE, Apache, Postfix, maildrop, nmap, Onyx, and Hypermail.

All users of PCRE should upgrade to version 6.2 or newer and should watch for new versions of any application that us linked against PCRE.

Linux Kernel Problems

Multiple security-related problems have been fixed in the Linux kernel. These problems include decompression of files on zisofs filesystems, buffer overflow in zlib decompression, buffer overflow in sock->sk_policy, and a bug in the S/390 specific kernel that could be exploited by a local user to power on and off partitions.

Users should watch their vendors for an up-to-date version of the kernel. Updated kernels have been released for SuSE Linux 9.1, 9.2, and 9.3; SUSE Linux Enterprise Server 9; and Novell Linux Desktop 9.

SILC

SILC, Secure Internet Live Conferencing, is reported to be vulnerable to a temporary-file symbolic-link race condition that may be exploitable by a local attacker to overwrite arbitrary files on the system with the victim's permissions. Version 1.0 of the SILC server and version 0.9.12-r3 of the SILC toolkit are reported to be vulnerable.

Affected users should watch for a repaired version of SILC.

Frox

Frox is a transparent FTP proxy for FreeBSD. A reported bug in Frox would allow any user to read any file on the system.

It is recommended that Frox be disabled until it has been repaired.

MPlayer

MPlayer is a Linux and Unix multimedia player that supports multiple formats, including MPEG, VOB, AVI, Ogg/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM, NuppelVideo, YUV4MPEG, FILM, RoQ, and PVA. A vulnerability in the code that handles strf chunks in PCM audio streams may be exploitable by a remote attacker who creates a video or audio file that will cause arbitrary code to be executed when the victim plays the file in MPlayer.

All users should upgrade to a repaired version as soon as possible. Gentoo has released a repaired version. A possible work around is to add ac=-pcm to the MPlayer configuration file. Making this change will disable MPlayer's ability to play uncompressed audio.

`pam_ldap`

pam_ldap, a Pluggable Authentication Module that authenticates to a LDAP server, will under some conditions authenticate connections that it should have denied and allow an attacker to bypass security restrictions.

Every user of pam_ldap should upgrade as soon as possible to pam_ldap-180 or newer.

`maildrop`

The mail delivery agent maildrop may, under some conditions, be vulnerable to an attack that can result in arbitrary code being executed with the mail group's permissions.

Users should watch their vendors for a repaired version of maildrop. Debian has released patched versions of maildrop.

`lm_sensors`

lm_sensors provides monitoring of temperature, voltage, and fan status of a Linux machine. The pwmconfig script included with lm_sensors is reported to be vulnerable to a temporary-file symbolic-link based race condition that may be useable by a remote attacker to overwrite arbitrary files on the system with, in most cases, root permissions.

It is recommended that lm_sensors be disabled on multi-user systems until this vulnerability has been corrected by upgrading to version 2.9.1 or newer.

`simpleproxy`

simpleproxy, a TCP-based proxy server, is reported to have a format-string-based vulnerability that may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user account running simpleproxy.

All users of simpleproxy should upgrade to version 3.4 as soon as possible and should consider disabling it until it can be upgraded.

`backup-manager`

The command line tool backup-manager is reported to contain two vulnerabilities: backup files are created with world-readable permissions, allowing an attacker to view files in the backup that may not be viewable on the system; and a temporary-file symbolic-link race condition when backup-manager is used to back up files to a CD.

Affected user should upgrade to version 0.5.8b or newer of backup-manager as soon as possible.

Also in Security Alerts:

Adobe Version Cue

The Mac OS X version of Adobe Version Cue is vulnerable to a local attack that can result in arbitrary code being executed with root permissions. Also, Adobe Version Cue is vulnerable to a temporary-file symbolic-link race condition that can be exploited to overwrite arbitrary files on the system with root permissions. Adobe Version Cue is a software version-tracking system that is part of Adobe Creative Suite and other Adobe products. Code to automate the exploitation of these vulnerabilities has been released to the public.

Users of Adobe Version Cue should apply the update available from Adobe. A possible work around is to remove the set user id bit from the VCNative utility.

phpGroupWare

phpGroupWare is a web-based application that includes a calendar, address book, to do list, email, wiki, and news headlines. Several vulnerabilities have been found in phpGroupWare that may be exploitable under some conditions to execute arbitrary PHP code, or in cross-site scripting attacks.

All users of phpGroupWare should upgrade to version 0.9.16.008 as soon as possible.

`webcalendar`

webcalendar is reported to be vulnerable to an unspecified problem that can be trivially exploited by a remote attacker to execute arbitrary code with the permissions of the user account running the web server.

Affected users should watch for a repaired version from their vendors and should consider disabling webcalendar until it has been repaired. Debian has released packages for sarge.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.