Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts More Kernel Trouble

by Noel Davis
06/16/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Linux kernels, GNU Zip, xaos, Speak Freely, eterm, Hangul Terminal, typespeed, mikmod, kon2, zblast/xzb, and zenTrack.

Linux 2.4 Kernel Problems

Linux 2.4 kernels are vulnerable to a denial-of-service attack and a vulnerability in the mxcsr code that can be used by an attacker to modify CPU state addresses. The denial-of-service attack uses a problem in the TTY layer code of the 2.4 Linux kernel to cause a kernel oops.

Users should watch their vendor for an updated kernel and related packages. Red Hat, Mandrake, and Debian are known to have released an updated kernel package.

Linux 2.0 Kernel ICMP Problem

A bug in the ICMP code of Linux 2.0 kernels can be exploited by a remote attacker, under some conditions, to read random pieces of memory on the machine under attack. The bug is in the code that calculates the size of the ICMP packet citation. The bug is reported to affect Linux kernels 2.0.39 and earlier. A script that automates the exploitation of this bug has been released.

Affected users should upgrade to a repaired kernel as soon as one becomes available. It has been reported (but not confirmed) that this problem will be repaired in the Linux 2.0.40 kernel.

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

GNU Zip

The znew shell script contained in the GNU Zip (gzip) package is reported to be vulnerable to a symbolic-link, temporary-file race condition that can be used by a malicious user to overwrite arbitrary files with the permissions of the user executing znew. znew is used to convert files compressed using the utility compress to the gzip compression format.

It is recommended that on multi-user systems znew be disabled until a repaired gzip package has been installed.

xaos

xaos, a real-time interactive fractal viewer written to be fast and portable, can be exploited by a local attacker to gain root permissions, when it is installed set user id root. xaos is often installed set user id root so that it can use the features of the svgalib library.

Affected users should remove the set user id bit or, if the svgalib functionality is required, make the executable only runnable by a trusted group of users.

Speak Freely

Speak Freely is an open source, encrypted voice communications package for Unix and Windows. Speak Freely contains multiple remotely exploitable buffer overflows that can be used to execute arbitrary code; is vulnerable to a temporary-file, symbolic-link race condition that can be used by a local attacker to overwrite files on the system; and, under some conditions, can be exploited as a UDP open relay. It has been reported that Speak Freely 7.5 for Unix is completely vulnerable to these problems and that Speak Freely 7.1 for Windows and Unix is vulnerable to some of these problems.

Users should upgrade to version 7.6 of Speak Freely, which is reported to be patched against most of these problems. They should also watch for a version that repairs the remaining problems.

eterm

The terminal emulator eterm is vulnerable to a buffer overflow in the code that handles the ETERMPATH environment variable. This buffer overflow can be exploited by a local attacker to execute arbitrary code with the permissions under which eterm is running. eterm is often installed set group id utmp.

It is recommended that users disable eterm or remove any set user id or set group id bits from eterm until it has been replaced with a repaired version.

Hangul Terminal

The Hangul Terminal emulator hanterm is vulnerable to multiple attacks using escape sequence codes, including an attack that, under some conditions, can result in arbitrary code being executed with the victim's permissions and a denial-of-service attack against the terminal.

Users should watch their vendor for updated hanterm packages.

typespeed

It has been reported that the typing program typespeed is vulnerable to a buffer overflow when the game is started in server mode. This can then be exploited by a remote attacker to execute arbitrary code with the permissions of the user running the game and the permissions of the games group.

It is recommended that users not start the game in server mode until it has been updated to a repaired version.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

mikmod

mikmod has a buffer overflow that can be exploited by an attacker who crafts a archive file with a long enough file name inside of it.

Affected users should watch their vendor for a repaired version of mikmod. Debian has released updated mikmod packages.

kon2

kon2, a console Kanji emulator, is vulnerable to a local, exploitable buffer overflow that can result in the attacker gaining root permissions. A script to automate the exploitation of this vulnerability has been released to the public.

It is recommended that users disable kon2 until a repaired package has been installed.

zblast/xzb

zblast/xzb is a space shooting game. zblast is the SVGA version of the game, and xzb is an X11 version. Both versions have a buffer overflow in the code that writes high score information, which can be exploited to execute arbitrary code with the permissions of the games group.

Affected users should disable zblast and xzb or remove the set group id bit from the executables until it has been repaired.

zenTrack

zenTrack, a work-order management system written using PHP, is vulnerable to a remote attack that can be used to execute arbitrary code with the permissions of the user running the web server.

Users should watch for a repaired version and should consider protecting zenTrack from untrusted networks using a firewall.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.