Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Linux and Darwin Kernel Trouble

by Noel Davis
01/27/2005

Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in the Linux kernel, the Darwin/Mac OS X kernel, iSync, Ethereal, enscript, hylafax, rssh, Xine-lib, mpg123, and Konversation.

Linux Kernel Problems

Several problems in the Linux kernel have been announced, including a locking problem in the sys_uselib() system call that can be exploited by a local attacker to gain root permissions, SMP kernels that contain a race condition in the SMP page table that can be exploited by a local attacker to gain root permissions; the vulnerability of the auditing subsystem to a denial-of-service attack that may be exploitable to crash the machine, a bug in the 32-bit compatibility layer on 64-bit machines that could cause 32-bit applications to run incorrectly, and a denial-of-service attack under some conditions on machines with filesystems mounted using NFS.

All Linux users should upgrade to a repaired kernel as soon as possible. SuSE has released updated packages for SUSE Linux Enterprise Server 8 and 9, SUSE Linux Desktop 1.0, and Novell Linux Desktop 9.

Darwin/Mac OS X Kernel Problems

Several bugs have been reported in the Darwin kernel used by OS X 10.3 that may be used in a local denial-of-service attack, or may possibly be exploitable to execute arbitrary code with root permissions. Code to automate exploiting one of these bugs as part of a local denial-of-service attack has been released to the public.

Users should watch Apple for a update to repair these problems.

Mac OS X iSync

The mRouter utility installed with Mac OS X's iSync application is reported to be vulnerable to a buffer overflow that may be exploitable by a local attacker to gain root permissions. The buffer overflow is exploited using the -a and -v command-line switches. A utility to automate the exploitation of this buffer overflow has been released to the public.

All users should watch Apple for a update to repair these problems. Administrators of multiuser machines should consider removing the set user id bit from /System/Library/SyncServices/SymbianConduit.bundle/Contents/Resources/mRouter until iSync has been patched by Apple.

Ethereal

Ethereal is a graphical network protocol analyzer used for network troubleshooting, analysis, software development, protocol development, and education. A buffer overflow in the X11 dissector component of Ethereal can be exploited by a remote attacker using a carefully crafted IP packet, and could result in arbitrary code being executed with root permissions on the victim's machine.

Affected users should watch their vendors for a repaired version of Ethereal and should consider not using it until it has been repaired.

enscript

GNU enscript, a utility used to convert plain text into PostScript, is reported to be vulnerable to several bugs that may be exploitable to execute arbitrary commands or to crash the program. In most cases, these bugs are only locally exploitable, but in some cases (such as when enscript is used with viewcvs) they may be exploitable remotely.

Users should watch their vendors for a repaired version of enscript. All affected users should consider disabling enscript until it has been repaired. Updated packages have been released for Debian GNU/Linux.

New Version of rssh

rssh is a restricted shell designed to be used with OpenSSH that places a user in a chroot jail and by design only allows the remote execution of scp, sftp-server, cvs, rdist, and rsync. Version 2.2.3 of rssh has been released by the author and repairs a problem that, under some conditions, could result in the execution of arbitrary commands or the execution of an uploaded shell script. All users should upgrade as soon as possible.

hylafax

A flaw in the hylafax fax system can, under some conditions, result in an unauthorized user gaining access. Systems with a hosts.hfaxd file that contains insufficient host or user restrictions may allow unauthorized users or hosts access to the fax server.

It is recommended that users upgrade as soon as possible and that they use the hosts.hfaxd file to restrict access to hlyafax as securely as possible. Debian, Gentoo, and Mandrake have released updated hylafax packages.

Xine-lib

Xine-lib, a video library used by the free Linux media players Xine, is reported to be vulnerable to a buffer overflow in the pnm_get_chunk() function call that could result in an attacker executing arbitrary code with the victim's permissions.

The authors of Xine-lib strongly recommend that users upgrade to the 1.0 release of Xine-lib or apply the available patches.

mpg123

mpg123, a fast open source MPEG layer 1, 2, and 3 audio player for Unix systems, is vulnerable to a buffer overflow that could be exploited by a remote attacker using a carefully crafted MP2 or MP3 file. Successfully exploiting the buffer overflow would cause arbitrary code to be executed with the victim's permissions. This vulnerability affects all versions of mpg123 earlier than 0.59s-r9.

All users of mpg123 should upgrade to the newest version or to version 0.59s-r9 or newer.

Konversation

The IRC client Konversation is reported to contain several security problems, including: problems in the included Perl scripts can, under some circumstances, be exploited by a remote attacker and result in arbitrary commands being executed on the victims machine; Server::parseWildcards contains bugs that may be exploitable by a remote attacker in a denial-of-service attack against Konversation; and a design problem in the quick connection dialog could result in a user sending a password as his or her nickname.

Users should upgrade to version 0.15.1 of Konversation as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to LinuxDevCenter.com

Copyright © 2009 O'Reilly Media, Inc.