oreilly.comSafari Books Online.Conferences.


Security Alerts Linux Kernel Trouble

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, Ethereal, Tethereal, INN, mpg321, vbox3, isakmpd, nd, phpGroupWare, and enq.

Linux Kernel Problem

A flaw in the mremap() system call of the Linux kernel can, under some conditions, be exploited by a local attacker to gain root permissions. The function call mremap() is used to move and resize Virtual Memory Areas.

In addition, the code in the Linux kernel that provides a real time clock has a vulnerability where it does not properly initialize all of its structures. This problem can lead to privileged kernel information being leaked into user-readable memory.

Updated packages have been released for Immunix Secured OS 7.3; SuSE Linux 8.0, 8.1, 8.2, and 9.0; SuSE Linux Enterprise Server 7, SuSE Linux Database Server, SuSE eMail Server III 3.1, SuSE Linux Firewall on CD, SuSE Linux Office Server, SuSE Linux Desktop 1.0, SuSE Linux School Server, Trustix Secure Linux 2.0; Conectiva Linux 8 and 9; Slackware 8.1; Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9; Mandrake Linux 9.0, 9.1, 9.2, and 9.2/AMD64; Mandrake Multi Network Firewall 8.2, and Mandrake Corporate Server 2.1.

Ethereal and Tethereal

Ethereal and Tethereal are network-protocol analyzers for Unix and Windows that can be used to examine data from a network interface or can analyze network information from saved capture files. Problems with the code that handles SMB packets and the Q.931 dissector code can cause Ethereal and Tethereal to crash. It is possible that this problem is exploitable in such a way that arbitrary code can be executed.

It is recommended that users upgrade to version 0.10.0 as soon as possible. If it is not possible to upgrade, users should disable the SMB and Q.931 protocol dissectors by selecting Edit->Protocols and deselecting them from the list.


The INN Internet news server is vulnerable to a buffer overflow that may be exploited by a remote attacker to execute arbitrary code as the news user. The buffer overflow is in the control-message handling code in INN version 2.4.0.

Users should upgrade to ISC INN version 2.4.1.


The command-line-based MP3 music player mpg321 contains a bug that, under some conditions, may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running mpg321. mpg321 must be used to play a MP3 file crafted by the attacker or be used to listen to the attacker's MP3 file using HTTP streaming before mpg321 can be exploited.

A repaired version has been released for Debian GNU/Linux. Users of other distributions should watch their vendors for new repaired version.


vbox3, a voice-response system for isdn4linux, does not properly drop its root permissions as it runs. This flaw can be exploited by a local user, under some conditions, to execute scripts with root permissions.

Affected users should watch for a new version that contains a fix for this flaw.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble


OpenBSD's IKE (Internet Key Exchange) key-management daemon isakmpd is reported to be vulnerable to two attacks that can be exploited to cause the unauthorized deletion of IPsec IKE Security Associations (SAs). The problems are reported to be exploited by sending a forged INVALID-SPI notification or an INITIAL-CONTACT notification to the victim's isakmpd daemon.

Affected users should watch for an updated version of isakmpd.


nd is a small command-line tool for Web-based Distributed Authoring and Versioning (WebDAV). WebDAV is an extension to the HTTP protocol that allows remote users to collaborate and maintain web pages. Several buffer overflows have been reported in nd that may result in a remote attacker who controls a WebDAV server executing arbitrary code on the victim's machine when the victim connects to the attacker's WebDAV server. These buffer overflows are reported to be in nd versions 0.8.1 and earlier.

Users should upgrade to version 0.8.2 or newer as soon as possible and should consider disabling nd until it has been upgraded. Updated packages have been released for Debian GNU/Linux.

tripwire on SuSE Linux

tripwire is a security tool used to make a cryptographic hash-based record of files on a system so that files on the system can be compared to the hash at a later time to check whether they have been changed. The version of tripwire distributed with SuSE Linux 8.2 and 9.0 is reported to crash when the file requested does not exist.

Affected users should watch SuSE for an update.


phpGroupWare is a web-based groupware system written in PHP. There is a vulnerability in the calendar module that can be exploited by a remote attacker to execute arbitrary PHP code with the permissions of the user running the web server. This vulnerability is caused by a feature of the calendar that allowed users to save files to the server. Because the types of allowable file extensions were not enforced by the module, the attacker could place files that could then be remotely executed.

Additionally, under some conditions a SQL-injection based attack was possible, due to variables in the calendar and infolog modules not being properly screened and escaped.

Users should watch for a repaired version of phpGroupWare.


The AIX enq utility queues requests to a shared resource, such as a printer. IBM has reported that the version of enq that ships with AIX 4.3, 5.1, and 5.2 is vulnerable to a format-string-based attack that can be exploited by an attacker who has printq group permissions to gain root permissions.

IBM encourages users to upgrade using the appropriate APAR as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: