“Another messy week. Xlock/Xlockmore (a common screen
saver) has a format bug in the processing of a command line option.
This affects Linux and BSD versions. Zope has a flaw that allows
users to gain additional roles while editing DHTML, and vendors are
still releasing updates for problems from last week (rpc, perl,
mailx, etc.). A very bad hole in the Lyris list manager’s Web
interface allows an attacker to trivially gain administrative
access to the list. You’d think people would learn not to pass
variables specifying the level of access back to users where they
can be modified.”
“Also, some vendors have made very basic mistakes. Trustix, for
example, ships their httpsd server world writeable. If you want to
replace it with one that logs credit card numbers, you can. Hint:
check the distribution for world writeable files and directories
before you ship it. Mandrake’s update tool stores files in /tmp
once it downloads them, meaning any user can potentially modify the
files before they are installed. You simply write a program to
watch tmp for specific filenames and then replace them with your
own version (downloading a source rpm and making it include a
setuid bash shell is trivial), and wait for the admin to upgrade.
Hint: do not use /tmp if at all possible.”
“SGI has issued a security advisory for the Linux kernel
capability bug that can be exploited via sendmail – only several
weeks late. Why is it that the larger the vendor, the slower the
security fixes? Xchat has a flaw that allows attackers to implant
commands in URLs which, if clicked on, can do bad things. The good
news is, there is a nice patch for DHCPD to run it as a non-root
user and chrooted. Also, an experimental set of patches for GCC to
help prevent buffer overflows, from some IBM researchers.”