Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel,
4inarow, CVS, Ebola,
A dangerous bug in the
brk() system call in the Linux kernel can be used by an attacker to gain root permissions. The bug allows a user to request more memory than the maximum amount allowed and gain access to kernel memory in user space. Exploit programs that automate the exploitation of the bug in the kernel have been released to the public. The bug is reported to affect the Linux 2.4.22 kernel and all earlier kernels.
The bug in the
brk() system call was fixed in 2.4.23 and 2.6.0-test6. Users should upgrade to a repaired version of the kernel or should watch for packages from their vendors. Packages have been released by SuSE, Red Hat, Debian, Mandrake, Trustix, Astaro, Slackware, SGI, TurboLinux, Yellow Dog Linux, Conectiva, and Gentoo.
rsync, a faster and more flexible replacement for
rcp that provides incremental file transfers, contains a buffer overflow that can be exploited by a remote attacker, under some conditions, to execute arbitrary code on the server with the permissions of the user running
rsync. This buffer overflow can be exploited when
rsync is being used in daemon mode as an
rsync versions 2.5.6 and earlier are reported to be vulnerable to this buffer overflow.
The developers of
rsync strongly recommend that all users of
rsync upgrade to version 2.5.7 as soon as possible and suggest that users configure
rsync to use a change rooted environment by setting
use chroot = yes in the file etc/rsyncd.conf. Updated packages have been released for Trustix Secure Linux 1.2, 1.5, and 2.0; Debian GNU/Linux; EnGarde Secure Linux; Slackware Linux 8.1, 9.0, 9.1, and -current; and Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9.
cdwrite is a command-line, script front end to burning CDROMs with
cdwrite is vulnerable to a temporary-file, symbolic-link-based attack that can be used to overwrite files on the system with the permissions of the user running
cdwrite (often the root user).
Users of multi-user systems should avoid using
cdwrite until it has been repaired.
CVS (Concurrent Versions System), a source-code version management package, has a bug that under some circumstances could cause CVS to attempt to create directories or files in the root of the filesystem on which its repository is located. Under most conditions, this bug is not thought to be exploitable.
Concerned users should upgrade to CVS version 1.11.10, which fixes the directory creation problem and other bugs.
The anti-virus daemon interface Ebola provides a performance-enhancing connection between anti-virus engines, such as Sophos, and scanning scripts, such as Inflex or AMaViS. Ebola has been reported to be vulnerable to a remote attack that leads to arbitrary code being executed as root. This vulnerability is reported to affect Ebola version 0.1.4. A application to automate the exploitation of this vulnerability has been released to the public.
The author of Ebola recommends that users upgrade to version 0.1.5 of Ebola as soon as possible to repair this problem, as well as additional potential problems due to the use of
sprintf() function calls in version 0.1.4. If it is not possible to upgrade immediately, users should consider disabling Ebola. Users should also consider protecting Ebola from unauthorized external connections using a tool such as a firewall. The author reports that he is no longer actively maintaining the Ebola source code.
net-snmp packages earlier than version 5.0.9 have vulnerabilities that can be exploited by an attacker who is authorized to connect to a device to read MIB objects that were specifically excluded from their views. The
net-snmp package provides tools and libraries for using SNMP (Simple Network Management Protocol) to monitor and configure SNMP-aware devices.
Users should upgrade to version 5.0.9 of
Also in Security Alerts:
lftp is a file transfer utility that uses FTP and HTTP to transfer files. It has job-control functions similar to
bash, bookmarks, and a built-in mirroring facility, and can transfer files in parallel.
lftp is reported to have unspecified bugs in the HTML-parsing code that can result in a security vulnerability when a user connects to an untrusted web server.
It is recommended that users upgrade to version 2.6.10 of
lftp. Debian has released an upgraded package.
irssi, a text-based IRC client for Unix systems, is vulnerable, under some conditions, to a remotely exploitable denial-of-service attack. This vulnerability only affects
irssi when it is running on non-x86 architectures and the
gui print text signal is being used by a script or plug-in. The vulnerability can also be used to remotely change a message's "level," causing the message to be displayed differently.
Users should upgrade to
irssi 0.8.9 or remove any script or plug-in that uses the
gui print text signal.
4inarow game is a networked four-in-a-row (Connect 4) clone for two players. It is vulnerable to an attack that can be exploited by a local attacker to execute arbitrary code with the permissions under which the game is running. On many systems, games are installed set group id games, and in some cases this can be leveraged into additional permissions.
It is recommended that any set user or group ids be removed from
4inarow and that users watch for a repaired version.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.