Buffer Overflows in RealPlayer and GNU Chess01/28/2002
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at two Linux kernel
bugs; buffer overflows in RealPlayer, GNU Chess, and
rsync, Squirrelmail, PHP-Nuke,
Enterprise 3, UnixWare and Open UNIX's
sort, IPFilter/9000, and
- Linux Kernel Bug
- Linux CIPE
- GNU Chess
- Tarantella Enterprise 3
- UnixWare and Open UNIX sort
There is a bug in some Linux kernels' ICMP implementation that can be remotely exploited to read random selections of memory. This bug is reported to affect Linux 2.2 kernels 2.2.18 and earlier and 2.4 kernels 2.4.0-test6 and earlier.
It is recommended that affected users upgrade their kernel to a safe version as soon as possible.
There is a vulnerability in the Linux CIPE (Crypto IP Encapsulation) VPN tunnel Linux kernel code that can be used by a remote attacker to crash the system by sending a specially-crafted packet. The Linux CIPE code tunnels IP packets inside of encrypted UDP packets.
It is recommended that affected users upgrade CIPE to version 1.3.0-3 or newer, or watch for an updated Linux kernel version.
rsync command is used to synchronize files and directories across
rsync has bugs related to signed integer handling
that can be used, under some circumstances, by a remote attacker to execute arbitrary commands on the server with root privileges.
Users should upgrade
rsync to version 2.4.6 or newer, or contact their
vendor for a repaired version. It is also recommended that the "Use
chroot" option be used to reduce the impact of a successful attack.
It is recommended that users watch for a version of Squirrelmail that fixes both of these vulnerabilities.
RealPlayer, a streaming media player, has a buffer overflow in the code that parses the strings in its data files that may be exploitable to execute arbitrary code on the local machine with the user's permissions. RealNetworks reports that the following versions of RealPlayer are vulnerable: RealPlayer for Windows: RealOne Player, RealPlayer 7, RealPlayer 8, RealPlayer G2 (Build # 22.214.171.124 or higher), RealPlayer Intranet 8, RealPlayer and Intranet 7; RealPlayer for Macintosh: RealPlayer 8 and RealPlayer 7; and RealPlayer for Unix: RealOne Player Alpha for Linux 2.2, RealPlayer 7 for Unix, and RealPlayer 8 for Unix.
RealNetworks has released updates and replacement libraries for RealPlayer. Users should go to www.real.com for details.
GNU Chess allows a computer to play the game of chess; it has a terminal interface, but supports other interfaces. GNU Chess contains a buffer overflow that can be exploited by a remote attacker to execute arbitrary commands if the attacker can send GNU Chess commands.
This buffer overflow has been fixed in the 5.03beta release of GNU Chess, available from the GNU FTP site. GNU Chess does not have a network interface and was designed to be run locally on the user's computer and, as a result, was not written with security in mind. Users who wish to use GNU Chess over a network should consider using a tool such as FICS or Zippy from Xboard to secure the connection.
There is a vulnerability in PHP-Nuke that can be used by an attacker to
execute arbitrary commands on the server with the permissions of the
user executing the Web server. This vulnerability is the result of
unfiltered user-supplied data being used in an
Users should watch for an updated version of PHP-Nuke.
enscript is a tool that is used to convert text files to PostScript
and send them to a printer. Versions of
enscript earlier than
1.6.2-4.1 are vulnerable to a temporary
file symbolic link race condition that can be used by a malicious user to overwrite arbitrary
files with the permissions of the user executing
Users should upgrade
enscript to version 1.6.2-4.1 or newer.
Tarantella Enterprise 3 is used to access enterprise resources via a Web interface. It is vulnerable to a race condition that can lead to a local root exploit during installation.
Users should consider placing the system in single-user mode while installing Tarantella Enterprise 3 until it has been patched to repair this vulnerability.
sniffit, a packet sniffer for Linux and most versions of Unix, has a
buffer overflow that, if it installed set user id root, can be exploited
to gain root privileges.
Users should remove the set user id bit from
sniffit until it has been
sort command supplied with UnixWare 7.1.* and Open UNIX 8.0.0 has
a temporary file race condition that can be used by a local attacker to
overwrite arbitrary files with the permissions of the user executing
Caldera recommends that users upgrade
sort as soon as possible.
Hewlett-Packard has announced a vulnerability in IPFilter/9000 running on HP-UX 11.00 or 11.11 that can be used to change its handling of packets.
Hewlett-Packard recommends that users upgrade to IPFilter/9000 version A.03.05.02.
Maelstrom, an Asteroids-type game ported from the Macintosh, has a temporary file symbolic link race condition that can be used by a malicious user to overwrite arbitrary files with the permissions of the user executing Maelstrom. It is reported that Maelstrom versions 3.0.1 and earlier are vulnerable.
Users should avoid executing Maelstrom on multiuser machines until it has been fixed.
Read more Security Alerts columns.
Return to the Linux DevCenter.