oreilly.comSafari Books Online.Conferences.


Security Alerts Summer GNATS Trouble

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in OpenSSH, radiusd-cistron, Ethereal, ypserv, lbreakout, GNATS, frox, poster, eldav, and PerlEdit.


OpenSSH versions 3.6.1 and earlier have a bug that can be used under some conditions to bypass connection restrictions and allow users from unauthorized (or even restricted) hosts to connect. The bug may still be exploitable even when the VeriftyReverseMapping parameter in the sshd configuration file is set to yes. F-Secure's SSH 1 and SSH 2 are not reported to be vulnerable to this bug.

Users should consider using a tool such as tcp-wrappers or a firewall to provide additional host restrictions, and should watch for an update to OpenSSH.


The radiusd-cistron server provides RADIUS (Remote Authentication Dial In User Service) authentication and logging to remote devices, applications, and servers. A buffer overflow in the radiusd-cistron server's code that handles NAS numbers may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running the radiusd-cistron server (often root).

It is recommended that users upgrade to a repaired version of radiusd-cistron and that they consider protecting the server from unauthorized connections using a tool such as a firewall.

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes


Ethereal, a network sniffing and analysis tool, is vulnerable to several denial-of-service attacks, a buffer overflow in the code dealing with the OSI dissector, and several other problems. A remote attacker who can send arbitrary packets onto the network that Ethereal is monitoring, or can place them into a trace file that is opened for analysis using Ethereal, can potentially execute arbitrary code with the permissions of the user running Ethereal.

Users are encouraged to upgrade to Ethereal 0.9.13 as soon as possible and should consider disabling Ethereal until it has been upgraded.

ypserv NIS server

The ypserv NIS (Network Information Service) server is vulnerable to a trivial denial-of-service attack. If the attacker sends an NIS request over TCP and then does not respond to the response, ypserv will fail to respond to all other requests. This vulnerability is reported to affect all version of ypserv prior to 2.8.

Affected users should upgrade to version 2.8 of ypserv as soon as possible.


lbreakout is a Breakout game for the X Window system written using the SDL library. Both the server and the client of the game are reported to be vulnerable to a format-string-based attack. In the case of the server, the vulnerability could be used by a remote attacker to execute arbitrary code with the permissions of the user running the game server. A script to automate the remote exploitation of the game has been released to the public.

Users should watch for a repaired version and should not run the vulnerable server on an untrusted network.

The GNU Bug-Tracking System

GNATS, the GNU bug-tracking system, is vulnerable to several buffer overflows that may be exploitable to execute arbitrary code with the permissions GNATS is running under (in most cases, the user gnats or the root user). It has been reported that if the gnats user id is not present when GNATS is installed, the installation will make the GNATS utilities set user id root. A utility for locally exploiting these buffer overflows in GNATS has been released to the public.

Users should watch for an updated version of GNATS or patches to repair these problems.


The caching FTP proxy server frox is vulnerable during startup to a symbolic-link race condition that can be used by a local attacker to overwrite arbitrary files on the system with the permissions of the user running frox.

Affected users should watch their vendor for an updated version.


The utility poster takes a one-page PostScript file and scales it to an arbitrarily sized poster. poster contains a buffer overflow that can be exploited using a carefully crafted PostScript file when the victim uses poster to scale the image.

Users should exercise care in which PostScript files they scale using poster, and should watch their vendor for a repaired version.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble


The eldav emacs WebDAV (Web-based Distributed Authoring and Versioning) client is vulnerable to a symbolic-link temporary file race condition that, under some conditions, can be exploited to overwrite files on the system using the permissions of the user running emacs.

It is recommended that users upgrade to eldav 0.7.2 as soon as possible.


PerlEdit, an IDE for Perl and text editor that is available for Windows and Linux, is reported to be vulnerable to a denial-of-service attack that possibly could be exploited to execute code. It is reported that upon starting up, PerlEdit opens TCP port 1956, and that opening a connection to this port will cause PerlEdit to crash. This problem is reported to affect all versions of PerlEdit through 1.07.

Users should watch for updates to PerlEdit that repair this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: