Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in Linux 2.4
sendmail, IMAP clients,
lv, GNU Privacy Guard,
EnGarde Secure Linux's
sudo, SCO OpenLinux's
directory, BEA WebLogic Server, Unreal Engine, and WebLogic Express.
Problems in the Linux 2.4 kernel have been reported. They include a
denial-of-service attack that can be remotely exploited (through the
use of network packets with forged source addresses that cause
excessive growth of the network hash tables), and a security problem
ioperm() function call that can be used by an attacker to
gain unauthorized access to I/O ports.
Users should watch their vendor for updated kernel packages. Red Hat has released new kernel packages that fix these and additional problems.
Three scripts included with
checksendmail) have been reported to be vulnerable to a symbolic-link
race condition that can be exploitable, under some circumstances, to
overwrite arbitrary files on the system, and may allow an attacker to
gain additional privileges.
Affected users should consider disabling these three scripts until they have been updated with repaired versions.
Several IMAP clients have been reported to be vulnerable to buffer
overflows. Pine, UW-imapd, Evolution, Mozilla, and Eudora are
reported to have a potentially exploitable vulnerability, and OE6,
Sylpheed, Balsa, and
mutt are reported to have a denial-of-service
vulnerability. Exploiting these buffer overflows requires that the
attacker control an IMAP server that the user connects and logs into.
Users should consider upgrading to
imap version 2002c or Evolution
version 1.3.2 (Beta). Affected users of other clients should watch
for repaired versions. In addition, users should exercise care in what
servers they connect to with any client software.
There is a format-string vulnerability in
cdrecord that can be
exploited by a local attacker to execute arbitrary code with root's
permissions on systems that have
cdrecord installed set user id root.
A script to automate exploiting this vulnerability has been released
to the public. It has been reported that Mandrake Linux installs
cdrecord with both a set user id bit and a set group id bit.
Affected user should watch their vendor for an updated version of
cdrecord and should consider removing the set user and set group id
bits. Mandrake has released packages containing a repaired version of
lv, a file viewer similar to
less, contains a bug that may, under some
conditions, be exploitable by a local attacker to execute arbitrary
shell commands with the permission of the user running
lv. The bug
lv to read its configuration file (
.lv) from the current working
directory, if it contains a configuration file. If a user has executed
lv in a directory with a malicious configuration file and then uses
the editor command from within
lv will execute arbitrary commands
configured in the
It is recommended that users consider not using
lv until it has been
repaired. Updated packages have been released for Red Hat Linux.
GNU Privacy Guard (GPG) has a key-validation bug that can result in keys gaining more trust than they should. This bug affects keys with multiple userids and results in all userids gaining the same level of trust as the most trusted user.
Affected users should watch their vendor for an repaired version of GNU Privacy Guard.
sudo command supplied with EnGarde Secure Community 2, EnGarde
Secure Professional v1.2, and EnGarde Secure Professional v1.5 are
vulnerable to a heap corruption that may be exploitable to execute
arbitrary code with root permissions.
Guardian Digital recommends that affected users upgrade as soon as
possible. On systems where
sudo is not being used, users should
consider removing it or removing its set user id root bit.
mgetty supplied with OpenLinux 3.1.1 server and workstation is
reported to be vulnerable to a buffer overflow in the code that
handles the name of a caller on a modem. In addition, OpenLinux's
faxspool directory is world-writable.
SCO recommends that users upgrade to a new
mgetty package that
contains a repaired version of
mgetty as soon as possible.
Also in Security Alerts:
There are several passwords that have been found to be stored or
displayed in plain text. These include the
JDBCConnectionPoolRuntimeMBean password being displayed on the screen
CredentialMapper storing passwords on the disk
in plain text inside of a binary file.
BEA recommends that WebLogic Server and Express 7.0 and 220.127.116.11 users apply service pack 2 and an available patch (CR104520_700sp2.zip). When service pack 3, is released the patch will no longer be needed.
Flaws in the networking code of the Unreal game engine are exploitable as a denial-of-service attack and may, under come conditions, be exploitable to execute arbitrary code. These bugs affect both the Windows and Linux versions of the engine. Games based on the Unreal engine include Unreal Tournament, Star Trek: The Next Generation: Klingon Honor Guard, Unreal, The Wheel of Time, Deus Ex, Mobile Forces, Rune, Hired Guns, Navy Seals, TNN Outdoor Pro Hunter, Werewolf, X-Com: Alliance, Adventure Pinball, America's Army, and Unreal Tournament 2003. The possible code execution is exploited using map files. A tool to automate a denial-of-service attack has been released to the public.
Users should be careful that they use map files from only trusted sources and should watch for updated version of the game engine with more robust networking and map code.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.