Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in XFree86, Stunnel, Exim,
atari800 emulator, Horde, MPlayer, and Node.
XFree86 4.3.0 is reported to be vulnerable to several bugs in the font libraries that could, under some conditions, be exploitable to gain root permissions.
The current CVS version of XFree86 is reported to be repaired. Users
should verify that their installations of
xfs and Xserver do not have
untrusted servers in their font search path.
It has been reported that Stunnel is vulnerable to an attack caused by a leaked file descriptor that can be exploited to hijack Stunnel. Once Stunnel has been hijacked, the attacker can record information sent by other users by pretending to be the services to which the user is attempting to connect. They could also redirect the user's connection to other machines. A program to automate the exploitation of this vulnerability has been released to the public.
It is highly recommended that users of Stunnel upgrade to version 3.26 or 4.04 as soon as possible. Upgrading will also repair a denial-of-service-attack vulnerability in Stunnel.
Exim, a mail transfer agent developed by the University of Cambridge,
is reported to be vulnerable to a buffer overflow in the code that
EHLO portion of the SMTP dialog that may, under some conditions, be exploitable by a remote attacker.
Patches have been released, and users are encouraged to upgrade as soon as possible. Debian has released repaired Exim packages, and users should note that Exim is the default MTA in Debian.
wu-ftpd FTP server is reported to be vulnerable to an attack that
wu-ftpd feature that creates a archive file for the user to
download. When this feature is used, the file names are passed
tar as command-line arguments. An attacker can carefully
create file names that will be interpreted as command-line
tar is executed. This would result in arbitrary
commands being executed with the permissions of the user ID under which
wu-ftpd is running.
The PAM module
pam_smb provides a Linux user the ability to log in by checking his or her password with an NT server.
pam_smb has a buffer overflow that can be exploited, with a long password string, by a remote
attacker to gain access to the server.
Affected users should watch their vendors for an updated package that
repairs this problem. SuSE and Debian are reported to have released a
gdm2 is the GNOME 2 version of the
xdm display manager.
reported to be vulnerable to a symbolic-link race condition attack
that can be used to read any file on the system by linking to it from
the ~/.xsession-errors file.
Users should watch for a repaired version of
gdm2 to be released.
Systems that use
pam_filter for host-access restrictions in
pam_ldap can, under some conditions, allow users from any host to log in to their accounts.
This bug is reported to have been repaired in
pam_ldap 162. Affected
users (those using
ldap for authentication along with host
restrictions) should upgrade to a repaired package from their vendors
as soon as possible.
whois tool distributed with SuSE Linux, and perhaps other Unixes, is vulnerable to several buffer overflows in the code that handles its
command-line arguments. This problem is not generally exploitable, but
would be a problem in any configuration that allows remote users to
whois with arbitrary command-line arguments. For example, when
whois is run inside of a CGI script, a remote attacker could use it to execute arbitrary commands on the system.
It is recommended that affected users watch their vendors for updated
packages, and consider disabling any CGI script or other method that
would allow an untrusted remote user to execute
whois with arbitrary
Also in Security Alerts:
atari800 is vulnerable to a buffer overflow that, if the emulator is installed with a set user id root bit, can be used by a
local attacker to gain root permissions.
Affected users should remove the set user id bit from the
emulator until it has been repaired.
A flaw in the web-based Horde email client can be exploited to hijack user sessions and gain control over the user's mail for a period of up to 20 minutes per successful attack. If the attacker can get a Horde user to connect to a remote web site from a link in an email message or a cross-site-scripting-style attack, the attacker can record the referring page information and hijack the users email account. The attacker will have access to the email account for the remaining length of the user's session, which is reported to be up to 20 minutes.
It is recommended that users upgrade to
horde-2.2.4_rc2 or newer as
soon as possible.
MPlayer is a movie player for Linux and other Unixes that supports MPEG, VOB, AVI, OGG/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM, NuppelVideo, YUV4MPEG, FILM, RoQ, and more. MPlayer is vulnerable to a buffer overflow that may, under some circumstances, be used to execute arbitrary code. Versions v0.91 and earlier of MPlayer are reported to be vulnerable.
Users should upgrade to the latest version of MPlayer and should ensure that it is not installed with set user or group id bits.
Node, an Amateur Packet Radio program, is vulnerable to a buffer overflow that can be exploited by a remote attacker to execute arbitrary code with root permissions.
Affected users should watch for a repaired version.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.