oreilly.comSafari Books Online.Conferences.


Device-Driver Trouble

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, Apache 2, the Linux Virtual Server, Pure-FTPd, FreeBSD's Linux binary compatibility mode, Domino, Shorewall, libpng, and the X Display Manager.

Linux Kernel Problems

Problems in multiple device drivers may be exploitable by a local attacker to gain root permissions or read kernel memory. Affected drivers include aironet, asus_acpi, decnet, mpu401, msnd, and pss.

Under some circumstances, a missing check in the fchown() function can be abused by a local user to change the ownership of files that the local user does not have the permissions to change. It may be possible to exploit this problem and gain root permissions.

A permissions problem with the file /proc/scsi/qla2300/HbaApiNode may be exploited in a local denial-of-service attack.

Users should upgrade to repaired kernel packages supplied by their vendors.

Apache 2

The Apache 2.x line of web servers are vulnerable to a remote denial-of-service attack that, under some conditions, may be exploitable as a buffer overflow that results in the execution of arbitrary code running with the same permissions as the web server. The attack uses header lines that start with a tab or a space character to exploit a flaw in a function located in the server/protocol.c file. On 32-bit machines, this flaw can be exploited to use all available memory, causing Apache to stop responding and, possibly, crashing the machine. Under some conditions on a 64-bit machine with 4GB or more of virtual memory, a related buffer overflow may be exploitable to execute arbitrary code. The 1.3.x line of Apache web servers is reported to not be vulnerable.

This vulnerability has been fixed in Apache 2.0.50 and all users are encouraged to upgrade as soon as possible. There is no reported workaround for this vulnerability.

Linux Virtual Server

The Linux Virtual Server modifies the Linux kernel to provide virtual servers that run under one kernel but have virtual user spaces with their own password files and root logins. A flaw in the way the procfs filesystem was handled in virtual server spaces has been discovered. The flaw allows users in one virtual space to make changes (to permissions, ownership, etc.) to the procfs that would apply throughout all of the virtual spaces and the host system. The procfs file system is a virtual file system in the Linux kernel that only exists in memory and allows userland applications access to certain information from the kernel.

Affected users of the Linux Virtual Server should upgrade to Version 1.28 as soon as possible or, as a workaround, mount the procfs filesystem read-only on the host system.


Pure-FTPd is an open source FTP daemon designed to be secure, reliable, and follow the FTP standard. It is based upon the Troll-FTPd server. The Pure-FTPd FTP daemon is vulnerable to a denial-of-service attack that uses a bug in the accept_client() function. When the maximum number of connections has been reached on the FTP server, the attacker can cause Pure-FTPd to crash.

Version 1.0.19 of Pure-FTPd has been released to repair this vulnerability.

FreeBSD Linux Binary Compatibility Mode

Linux binary compatibility mode provides FreeBSD with the capability to execute Linux binaries without having to recompile them. Bugs in the way that multiple Linux system calls are handled may be exploitable by an attacker to read or write portions of kernel memory, resulting in a denial-of-service condition, the gaining of root permissions, or an information disclosure.

It is recommended that the Linux binary compatibility mode be disabled until it has been upgraded, or patched to a repaired version.


It has been reported that any user of IBM's Domino application server can, under some conditions, change their quota limits to any arbitrary value by exploiting a flaw in Domino's IMAP support. The Domino server and the user's email account must have IMAP enabled before this attack can take place.

Users should watch IBM for a solution to this problem.


Shorewall, a tool for configuring the Linux kernel firewall Netfilter, is vulnerable to a symbolic-link temporary-file race condition that can be exploited by a local attacker to overwrite arbitrary files on the server with root permissions.

Affected users should upgrade to version 1.4.10f or newer as soon as possible.


The libpng graphics library provides support for Portable Network Graphics (PNG) images. libpng contains buffer overflows in code that handles loop offset values and in code that handles grayscale images. These buffer overflows can, under some conditions, be exploitable to execute arbitrary code with the permissions the linked application is running as (sometimes root). Applications commonly linked against libpng include apache, blender, cups, emacs, gd, gif2png, gimp, gnuplot, gqview, gtk2, imagemagick, imlib, latex2html, lbreakout, libwmf, mplayer, netpbm, php, php3, php5, povray, pstoedit, scribus, transfig, webalizer, wv, xplanet, and xv.

All users should upgrade to a repaired version of libpng as soon as possible.

X Display Manager (XDM)

Some versions of the X Display Manager will allow users to log in even when it is configured to not allow remote logins (i.e., DisplayManager.requestPort is set to 0). The attacker must have access to a local account before they can connect. Many older versions of XDM will not be vulnerable to this problem, but it is not clear which version the bug was introduced.

Affected users should watch their vendors for an updated version of XDM.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: