NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secunia Advisories> 2004-q2

[SA11760] Slackware PHP Insecure Static Library Linking Security Issue

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Thu Jun 03 2004 - 03:47:44 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
Slackware PHP Insecure Static Library Linking Security Issue

SECUNIA ADVISORY ID:
SA11760

VERIFY ADVISORY:
http://secunia.com/advisories/11760/

CRITICAL:
Less critical

IMPACT:
Privilege escalation, DoS

WHERE:
Local system

OPERATING SYSTEM:
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.x

DESCRIPTION:
Bryce Nichols has discovered a security issue in Slackware, which can
be exploited by malicious, local users to gain escalated privileges.

The problem is that PHP is linked against a static library in an
insecure path. This can be exploited to cause a DoS or execute
arbitrary code ("nobody" privileges by default) by placing malicious
shared libraries in this path.

SOLUTION:
Apply updated packages.

Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.6-i386-1.tgz

Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.6-i386-1.tgz

Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.6-i486-1.tgz

Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/php-4.3.6-i486-4.tgz

PROVIDED AND/OR DISCOVERED BY:
Bryce Nichols

ORIGINAL ADVISORY:
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.419765

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]