PHP Problems
by Noel Davis
11/18/2005
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in PHP, Emacs, ftpd-ssl, Lynx,
Roaring Penguin pppoe, OpenVPN, RAR, Fedora Core X-Chat, HP-UX xterm, libungif4, and GpsDrive.
- PHP 4.4.1
- Emacs
ftpd-ssl- Lynx
- Roaring Penguin
pppoe
- OpenVPN
- RAR
- Fedora Core X-Chat
- HP-UX
xterm
libungif4- GpsDrive
PHP 4.4.1
A new version of PHP has been released that fixes many bugs, including some
that are security-related. Security problems repaired include: problems in
the file upload code, memory corruption bugs, several possible global overwriting
bugs, and a memory corruption bug.
Users of PHP 4.3 and 4.4 are encouraged to upgrade to version 4.4.1 of PHP.
Emacs
Emacs will execute arbitrary Lisp code when a text file is opened with code
in the local variables section of the file. This affects Emacs versions 21.2.1
and earlier.
Users should upgrade to version 21.3 of Emacs. Users should also consider
adding (setq enable-local-variables nil) to their .emacs configuration
file.
ftpd-ssl
ftpd-ssl, an FTP server that supports SSL encryption, is reported to be vulnerable
to a buffer overflow that may be exploitable by a remote attacker to execute
arbitrary code with root's permissions.
Affected users should watch their vendors for a repaired version. Debian has
released an updated version for sarge.
Lynx
Lynx is a text-mode web browser for Unix machines. Some configurations of
Lynx contain a mistake in the configuration of the lynxcgi: URL
handles that may be exploited by a remote attacker to execute arbitrary commands
on the victim's machine. Version 2.8.5 of Lynx is reported to be vulnerable,
as are versions distributed in Red Hat Linux, Gentoo, and Mandriva. Versions
of Lynx distributed with FreeBSD and OpenBSD are reported to not be vulnerable.
Users should upgrade to version 2.8.6dev.15 or newer as soon as possible.
A possible workaround for this problem is to add the line TRUSTED_LYNXCGI:none to
the lynx.cfg file.
Roaring Penguin pppoe
A recent security announcement claimed that if Roaring Penguin pppoe (PPP
over Ethernet) is installed set user id root, it is vulnerable to a bug that
can allow an attacker to overwrite arbitrary files on the system with root
permissions. This security announcement is misleading, as there are no reported
Linux distributions that install rp-pppoe set user id root.
David Skoll of Roaring Penguin said about this problem: "Naturally, we
advise people not to run pppoe SUID-root, just as we'd advise people not to
run vi or cat or sed SUID-root. The whole
issue is nonsensical."
OpenVPN
OpenVPN is a full-featured SSL VPN that runs on Linux, OpenBSD, FreeBSD, NetBSD,
Mac OS X, Solaris, and Windows 2000/XP. OpenVPN is reported to be vulnerable
to an attack that could result in arbitrary code being executed on the victim's
machine.
All users of OpenVPN should upgrade to version 2.0.4 or newer as soon as possible.
RAR
RAR, an archiving tool that can use .zip and .rar file formats, is reported
to be vulnerable to a buffer overflow and a format-string-type vulnerability
that could result in arbitrary code being executed with the user's permissions.
Both of these vulnerabilities are exploited through a carefully crafted archive
file that the user uncompresses using RAR.
All users of RAR should upgrade to version 3.5.1 or newer as soon as possible.
Fedora Core X-Chat
X-Chat is an IRC (Internet Relay Chat) client that runs under the X Window
System and uses either the GTK+ toolkit or Gnome libraries. Patches have been
released for Fedora Core 1 and 2 that repair a long-standing buffer overflow
in X-Chat. The buffer overflow is in the code that handles Socks-5 proxies
in X-Chat and may be exploitable, under some conditions, by a remote attacker
to execute arbitrary code on the victim's machine. The victim must connect
to a proxy server controlled by an attacker to be vulnerable to this buffer
overflow.
It is recommended that Fedora Core 1 and 2 users stop using untrusted Socks-5
proxy servers until they have upgraded their X-Chat applications.
HP-UX xterm
A unspecified security problem with xterm under HP-UX has been announced by
HP. The announcement states that local users can exploit this vulnerability
to gain unauthorized access. This probably indicates access to the root account.
Versions B.11.00, B.11.11, and B.11.23 of HP-UX are reported to be affected.
Affected users should contact HP for more information. A suggested workaround
is to use the xterm located at /usr/contrib/bin/X11R5/xterm. For example:
cp /usr/bin/X11/xterm /usr/bin/X11/xterm.nosuid
chmod 555 /usr/bin/X11/xterm.nosuid
cp /usr/contrib/bin/X11R5/xterm /usr/bin/X11/xterm
libungif4
The libungif4 library is reported to be vulnerable to several attacks that
could result in a denial of service or, under some conditions, in arbitrary code
being executed.
Users should watch their vendors for a repaired version of the library. Debian
has released a repaired version for woody, sarge, and sid.
GpsDrive
GpsDrive is a Linux and FreeBSD application that displays your position, provided
from your NMEA-capable GPS receiver on a zoomable map. It supports GPS receivers
that provide access via the NMEA protocol. A format-string-based vulnerability
has been reported that may be exploitable by a local attacker to execute arbitrary
code.
Debian has released repaired packages for sarge and sid. Users of other distributions
should watch for a repaired version.
On a personal note, this is the last Security Alerts column I will be writing
for O'Reilly. It has been a pleasure working with all of the wonderful people
who have edited and produced the O'Reillynet website. If you are interested
in a continuation of this column in some form elsewhere, send me an email at
If there is enough interest I will continue doing a weekly
or biweekly security report in some form.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts
columns.
Return to LinuxDevCenter.com