libtool risk - php leak risk

[jechilt]

Greetings,

I am still trying to feel out where things are to be posted. I hope this forum is ok for this question.

I was reading on the O'Reilly Linux DevCenter site about software problems.
http://www.linuxdevcenter.com/pub/a/linux/2004/02/11/insecurities.html

On my system, I have libtool 1.4.3 installed. According to the link provided, the alert for libtool says:

GNU libtool is a set of scripts used to create shared libraries from object files. The script ltmain.sh is vulnerable to a temporary file symbolic-link race condition that can be exploited by a local attacker to overwrite arbitrary files on the system with the permissions of the user running libtool.

It is recommended that all developers and other users of libtool upgrade to version 1.5.2 or newer as soon as possible.

Is this something we upgrade ourselves or is it tied into DA updates?


Does anyone know or experienced anything like this?

It has been reported that, under some conditions, PHP can leak the contents of variables from one virtual host to another virtual host on the same machine. According to the report, one of the conditions is that the variable register_globals = on must be set in the system php.ini file and that some virtual hosts have register_globals = off in their .htaccess configuration file.

Affected users should watch their vendors for an updated version of PHP. It is also suggested that for systems with virtual hosts register_globals be set to off in the system php.ini file unless there is a known reason to have it set to on.

thanks!

 

[nobaloney]

I am still trying to feel out where things are to be posted. I hope this forum is ok for this question.

This is the right place.

I was reading on the O'Reilly Linux DevCenter site about software problems.
http://www.linuxdevcenter.com/pub/a/linux/2004/02/11/insecurities.html

I'd stay away from "generic" warning sites if I were you, and find the ones for your OS. My reasons will become clear as you continue to read...

On my system, I have libtool 1.4.3 installed.

This information isn't really helpful unless we know what OS you're using, and what version of libtool that OS includes by default.

For example, Our RL 7.3 systems (which we still keep updated) have libtool 1.4.2-7 installed, yet they're fully patched against the race condition the O'Reilly site warns against.

Generic sites such as O'Reilly's report on new versions of libraries and tools which fix exploits, but most Linux distribution vendors "backport" patches to library and tool versions they already support, to keep dependency problems to a minimum.

Additionally, if you read carefully you'll find that the race condition is only a vulnerability if you allow local (that is shell) access. If you're the only shell user on your system you wouldn't have anything to worry about anyway.

As long as you're using a supported OS and as long as you keep up with program and library updates your vendor (or 3rd party vendors) make available, you should be up-to-date.

I'd recommend keeping up with your vendor's security sites and not worrying about the generic one, unless you're an experienced Linux administrator with experience with a lot of distributions and with all the issues "rolling your own" can create.

And one more thing: While RedHat no longer supports RHL 7.2, 7.3, 8 or 9, continued support is available for these systems both from the Fedora Legacy Group and from Progeny Transition Service. We also offer complete support services for these OS distributions, wrapping our support around the Progeny Transition Service offerings.

Jeff

 

[jechilt]

Hi Jeff,

thanks for the information. It was very clear and I understand.

kind regards...