oreilly.comSafari Books Online.Conferences.


Security Alerts

Flaws in LIDS, CUPS, and Sawmill


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a security vulnerability in LIDS; buffer overflows in CUPS, jgroff, Sun Solstice Enterprise Master Agent, and Ettercap; and problems in Sawmill, Faq-O-Matic, pforum, GNAT, Taylor UUCP, and IRIX O2 Video.


LIDS is a Linux kernel patch and admin tool that enhances Linux kernel security and provides a reference monitor and Mandatory Access Control in the kernel. There are several vulnerabilities in LIDS that can be exploited by a local attacker to execute arbitrary commands with root permissions and bypass or disable LIDS. These vulnerabilities include problems with the LD_PRELOAD environment variable, writing directly to /dev/kmem, and a race condition in applications that are launched prior to LIDS being sealed.

The LIDS team recommends that users upgrade to lids-1.1.1pre2-2.4.16.tar.gz for 2.4-series kernel users and that 2.2 kernel users apply the patch LIDS-security-patch-0.10.1-2.2.20.diff.gz.


Sawmill, a Web server log file analysis and report generator, has a vulnerability that can be exploited by a local attacker to overwrite the Sawmill password file, replacing the Sawmill password with a arbitrary password. When Sawmill is executed and the user enters the initial password, the password file is created with world-writable permissions. As the password is stored in an MD5 hash, an arbitrary password can be easily created.

It is recommended that users upgrade to Sawmill version 6.2.15 and change the permissions of the AdminPassword file to 600.


CUPS, the Common Unix Printing System, has a potentially-exploitable buffer overflow in the code that handles the names of attributes. It has been reported that this buffer overflow affects all versions of CUPS earlier than version 1.1.14.

Users should upgrade CUPS to version 1.1.14 or newer as soon as possible and if the printing system is not needed, they should consider removing it or turning it off.


Related Reading

Understanding the Linux Kernel
By Daniel P. Bovet, Marco Cesati

The Faq-O-Matic Frequently Asked Question manager is vulnerable to a cross-site scripting attack that can be used by an attacker to run JavaScript in other users' browsers. This vulnerability can be used to steal cookies from the Faq-O-Matic administrator or one of the moderators.

It is recommended that users watch their vendor for an update to repair this problem or download the latest stable version from the Faq-O-Matic Web site.


jgroff is a version of the groff document-formatting system that has been modified to support the Japanese character set. It has a buffer overflow that may be exploitable to execute arbitrary code with the permissions of the printing system.

Affected users should upgrade to a repaired version as soon as possible or replace jgroff with a version of groff that supports Japanese character sets.


pforum, a Web-based bulletin board system written using PHP and MySQL, does not properly check all user input under some circumstances. This problem can be exploited, if the Web server does not have Magic-Quotes enabled, to log in to pforum as the administrator or another user.

Users should ensure that the Web server that pforum is installed on has Magic-Quotes enabled in the php.ini file. It has been reported that there is a patch available for those users who do not have the ability to change the php.ini file on their Web server.

Sun Solstice Enterprise Master Agent

A buffer overflow in the Sun Solstice Enterprise Master Agent snmpdx may be exploitable by a remote attacker to execute arbitrary code with root permissions.

Affected users should obtain and apply the appropriate patch for their system. Patches have been released by Sun for Solaris (X86 and Sparc versions) 2.6, 7, and 8.


Executables created with GNAT (the GNU Ada compiler) that use the facility to create named temporary files are vulnerable to temporary-file symbolic-link race condition attacks by a local attacker. Versions 3.12p, 3.13po, and 3.14p are known to be affected.

Users should watch for an update that repairs this vulnerability.

Taylor UUCP

A flaw in Taylor UUCP can be used by an attacker to write arbitrary files to any location to which UUCP can write. On some systems, this may be usable to gain root access.

It is recommended that users watch for a patch or an upgrade to repair this flaw, and that if the UUCP system is not needed, it be removed or disabled.


The Ettercap network sniffer package has a bug that, under some conditions, can be exploited by a remote attacker to execute arbitrary code with root permissions. An exploit script has been created that will allow a remote root login if Ettercap is listening on an interface with a MTU larger than 2000. On interfaces with MTUs smaller than 2000, Ettercap can be crashed with a carefully-crafted packet.

Users should not use Ettercap to listen on an interface with a MTU that is set to 2000 or larger until they have upgraded Ettercap to a repaired version.

IRIX O2 Video Security Issue

On all SGI O2 systems, a remote attacker can view the system's screen, even if the xhosts or xauth configuration would normally provide protection. If the vcp default input is configured to "Output Video," the remote attacker can execute videoout and videoin and will see the screen.

SGI recommends that all affected users watch for a patch and add the following to /var/X11/xdm/Xstartup:

# Set the permissions of /dev/mvp so only 
# the console user has access
if [ -r /dev/mvp ]; then
   chown $USER /dev/mvp
   chmod 600 /dev/mvp

and add the following to /var/X11/xdm/Xreset:

# Reset the permissions on /dev/mvp
if [ -r /dev/mvp ]; then
   chown root /dev/mvp
   chmod 666 /dev/mvp

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: