Security Portal: Weekly Linux Security Digest 2000/08/14 to 2000/08/20Aug 21, 2000, 09:12 (0 Talkback[s])
(Other stories by Kurt Seifried)
"Another messy week. Xlock/Xlockmore (a common screen saver) has a format bug in the processing of a command line option. This affects Linux and BSD versions. Zope has a flaw that allows users to gain additional roles while editing DHTML, and vendors are still releasing updates for problems from last week (rpc, perl, mailx, etc.). A very bad hole in the Lyris list manager's Web interface allows an attacker to trivially gain administrative access to the list. You'd think people would learn not to pass variables specifying the level of access back to users where they can be modified."
"Also, some vendors have made very basic mistakes. Trustix, for example, ships their httpsd server world writeable. If you want to replace it with one that logs credit card numbers, you can. Hint: check the distribution for world writeable files and directories before you ship it. Mandrake's update tool stores files in /tmp once it downloads them, meaning any user can potentially modify the files before they are installed. You simply write a program to watch tmp for specific filenames and then replace them with your own version (downloading a source rpm and making it include a setuid bash shell is trivial), and wait for the admin to upgrade. Hint: do not use /tmp if at all possible."
"SGI has issued a security advisory for the Linux kernel capability bug that can be exploited via sendmail - only several weeks late. Why is it that the larger the vendor, the slower the security fixes? Xchat has a flaw that allows attackers to implant commands in URLs which, if clicked on, can do bad things. The good news is, there is a nice patch for DHCPD to run it as a non-root user and chrooted. Also, an experimental set of patches for GCC to help prevent buffer overflows, from some IBM researchers."