Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, Ethereal, Tethereal, INN,
nd, phpGroupWare, and
A flaw in the
mremap() system call of the Linux kernel can, under some conditions, be exploited by a local attacker to gain root permissions. The function call
mremap() is used to move and resize Virtual Memory Areas.
In addition, the code in the Linux kernel that provides a real time clock has a vulnerability where it does not properly initialize all of its structures. This problem can lead to privileged kernel information being leaked into user-readable memory.
Updated packages have been released for Immunix Secured OS 7.3; SuSE Linux 8.0, 8.1, 8.2, and 9.0; SuSE Linux Enterprise Server 7, SuSE Linux Database Server, SuSE eMail Server III 3.1, SuSE Linux Firewall on CD, SuSE Linux Office Server, SuSE Linux Desktop 1.0, SuSE Linux School Server, Trustix Secure Linux 2.0; Conectiva Linux 8 and 9; Slackware 8.1; Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9; Mandrake Linux 9.0, 9.1, 9.2, and 9.2/AMD64; Mandrake Multi Network Firewall 8.2, and Mandrake Corporate Server 2.1.
Ethereal and Tethereal are network-protocol analyzers for Unix and Windows that can be used to examine data from a network interface or can analyze network information from saved capture files. Problems with the code that handles SMB packets and the Q.931 dissector code can cause Ethereal and Tethereal to crash. It is possible that this problem is exploitable in such a way that arbitrary code can be executed.
It is recommended that users upgrade to version 0.10.0 as soon as possible. If it is not possible to upgrade, users should disable the SMB and Q.931 protocol dissectors by selecting Edit->Protocols and deselecting them from the list.
The INN Internet news server is vulnerable to a buffer overflow that may be exploited by a remote attacker to execute arbitrary code as the news user. The buffer overflow is in the control-message handling code in INN version 2.4.0.
Users should upgrade to ISC INN version 2.4.1.
The command-line-based MP3 music player
mpg321 contains a bug that, under some conditions, may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running
mpg321 must be used to play a MP3 file crafted by the attacker or be used to listen to the attacker's MP3 file using HTTP streaming before
mpg321 can be exploited.
A repaired version has been released for Debian GNU/Linux. Users of other distributions should watch their vendors for new repaired version.
vbox3, a voice-response system for
isdn4linux, does not properly drop its root permissions as it runs. This flaw can be exploited by a local user, under some conditions, to execute scripts with root permissions.
Affected users should watch for a new version that contains a fix for this flaw.
Also in Security Alerts:
OpenBSD's IKE (Internet Key Exchange) key-management daemon
isakmpd is reported to be vulnerable to two attacks that can be exploited to cause the unauthorized deletion of IPsec IKE Security Associations (SAs). The problems are reported to be exploited by sending a forged
INVALID-SPI notification or an
INITIAL-CONTACT notification to the victim's
Affected users should watch for an updated version of
nd is a small command-line tool for Web-based Distributed Authoring and Versioning (WebDAV). WebDAV is an extension to the HTTP protocol that allows remote users to collaborate and maintain web pages. Several buffer overflows have been reported in
nd that may result in a remote attacker who controls a WebDAV server executing arbitrary code on the victim's machine when the victim connects to the attacker's WebDAV server. These buffer overflows are reported to be in
nd versions 0.8.1 and earlier.
Users should upgrade to version 0.8.2 or newer as soon as possible and should consider disabling
nd until it has been upgraded. Updated packages have been released for Debian GNU/Linux.
tripwireon SuSE Linux
tripwire is a security tool used to make a cryptographic hash-based record of files on a system so that files on the system can be compared to the hash at a later time to check whether they have been changed. The version of
tripwire distributed with SuSE Linux 8.2 and 9.0 is reported to crash when the file requested does not exist.
Affected users should watch SuSE for an update.
phpGroupWare is a web-based groupware system written in PHP. There is a vulnerability in the calendar module that can be exploited by a remote attacker to execute arbitrary PHP code with the permissions of the user running the web server. This vulnerability is caused by a feature of the calendar that allowed users to save files to the server. Because the types of allowable file extensions were not enforced by the module, the attacker could place files that could then be remotely executed.
Additionally, under some conditions a SQL-injection based attack was possible, due to variables in the calendar and infolog modules not being properly screened and escaped.
Users should watch for a repaired version of phpGroupWare.
enq utility queues requests to a shared resource, such as a printer. IBM has reported that the version of
enq that ships with AIX 4.3, 5.1, and 5.2 is vulnerable to a format-string-based attack that can be exploited by an attacker who has
printq group permissions to gain root permissions.
IBM encourages users to upgrade using the appropriate APAR as soon as possible.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.