oreilly.comSafari Books Online.Conferences.


Security Alerts

Problems in OpenSSH, Sudo, and Java

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in OpenSSH, Sudo, Sun Java, Blackdown Java, tcpdump, cpio, JBOSS, Adobe Reader and Acrobat, gedit, Gaim, and Trac.


A problem has been reported in OpenSSH's scp command that may, under some conditions, result in arbitrary files being written on the local machine when scp is used to copy files from a malicious server. All versions of OpenSSH prior to version 3.4p1 are reported to be vulnerable to this problem.

Users should upgrade to version 3.4p1 of OpenSSH as soon as possible. Upgraded packages are known to be available from SuSE, Conectiva, Mandriva (formerly known as Mandrake), and Red Hat.


Sudo is a utility that allows a list of permitted users to execute commands as the superuser or another user. Sudo is reported to be vulnerable to a race condition in the code that handles a commands path. This vulnerability could be exploited to allow a user who is authorized to run one command as root to execute any command as root. Version 1.3.1 through 1.6.8p8 of Sudo have been reported to be affected.

Users of Sudo should keep in mind that creating a utility to allow users to perform a limited number of commands with root permissions without causing a security problem is, at best, a very difficult task. Anyone using Sudo on his or her system should carefully consider the benefits and risks. If Sudo is used, a careful watch for vulnerabilities should be kept.

All users of Sudo should upgrade to version 1.6.8p9 or newer as soon as possible.

Sun and Blackdown Java

Both Sun's and Blackdown's Java Runtime Environment (JRE) and Java Development Kit (JDK) are vulnerable to an attack that can be exploited to run arbitrary Java code with the permissions of the victim when the victim views a web page containing an untrusted applet.

Sun JDK and JRE users should upgrade to or newer. Blackdown JDK and JRE users should upgrade to or newer.


The tcpdump network sniffer has a bug in its bgp_update_print() function that may be exploitable by a remote attacker in a denial-of-service attack against tcpdump.

Affected users should watch their vendors for a repaired version of tcpdump. Repaired packages for Mandrake Linux 10.1 and 10.2 have been released.


The archiving utility cpio is used to copy files into or out of cpio and tar archives. A flaw in cpio's handling of cpio archive files can be exploited by a remote attacker to overwrite arbitrary files on the system that are writable by the victim. The attacker carefully creates a cpio archive that he or she then convinces the victim to open using cpio.

Users of cpio should watch their vendors for a repaired version. Gentoo Linux has released a repaired cpio package.


JBOSS is a J2EE-1.4-certified Java application server that is written in Java. It has been reported that JBOSS can be manipulated into providing an attacker information, such as the path it is installed under. In version 4.0.2, an attacker can view all of JBOSS's configuration information, including security configurations.

Users of JBOSS should watch for a solution to this problem.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

Adobe Reader and Adobe Acrobat

A flaw in the way Adobe Reader and Adobe Acrobat handle embedded XML scripts means that a remote attacker can create a PDF file that, when viewed by the victim, can read local files and send information back to the attacker. Adobe reports that Adobe Reader 7.0 and 7.0.1 and Adobe Acrobat 7.0 and 7.0.1 are vulnerable to this flaw.

A workaround to this problem is to disable JavaScript in the reader. Adobe has released an update (version 7.0.2) to the Windows version of the Adobe Reader. Users of the Mac OS X and Linux versions of the Reader should watch Adobe for a repaired version.


gedit, the Gnome text editor, is reported to be vulnerable to a format-string-based vulnerability in code that handles the file name being opened by gedit. If this vulnerability is successfully exploited, it results in arbitrary code being executed with the permissions of the victim. It may be possible that an email client or web browser could be manipulated into opening gedit with a attacker-specified filename that exploits this vulnerability.

Users should upgrade the gedit packages as soon as they become available from vendors. Mandrake, Red Hat, and Gentoo have released repaired packages.


The instant messaging client Gaim is available for Linux, BSD, Mac OS X, and Windows. Gaim supports many different messaging protocols, including those of the AIM and ICQ (Oscar protocol), MSN Messenger, Yahoo, IRC, Jabber, Gadu-Gadu, SILC, GroupWise Messenger, and Zephyr networks. A remotely exploitable denial-of-service vulnerability in Gaim is caused by code that handles MSN packages. The denial of service is triggered when a MSN package has a misreported and invalid body length in its header.

In addition, when using the Yahoo protocol, a remote client can cause a denial-of-service condition by sending files with names containing non-ASCII characters.

All users of Gaim should upgrade to version 1.3.1 or newer. A package containing version 1.3.1 of Gaim is available from Mandriva Linux.


Trac is a wiki implementation that is integrated with Subversion and designed to help track problems and issues for a software development project. A bug in Trac can be exploited by a remote attacker to upload arbitrary files to the server running Trac and, under some conditions, can be exploited to execute arbitrary code.

It is recommended that all users of Trac upgrade to version 0.8.4 or newer as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: