Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in the TCP protocol, Midnight
rsync, LHA, Utempter, X-Chat, and
Weaknesses have been found in the TCP protocol specification.
SYN packets from an attacker can (under some conditions) drop a TCP session;
and an attacker can, in some cases, inject data into a TCP session.
Users should contact their vendors for details on how to mitigate or prevent these TCP protocol vulnerabilities.
Midnight Commander is reported to be vulnerable to multiple buffer overflows, multiple temporary-file, symbolic link race conditions, and a format string vulnerability.
Users should watch their vendors for a repaired version of Midnight Commander and should consider disabling Midnight Commander until it has been updated. Repaired packages have been released for Red Hat Linux 9; Debian GNU/Linux; and Mandrake Linux 10.0, 9.1, 9.2, and Corporate Server 2.1.
|Linux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.|
Version 1.2.9 of the FTP daemon
proftpd has a bug in the code that handles
Deny directives that can, under some conditions,
allow clients to access files or directories to which should have been denied.
Affected users should downgrade or upgrade to a version of
or later than version 1.2.9, or watch their vendors for a repaired version.
Repaired packages have been released for Mandrake Linux 10; Trustix Secure
Linux 2.0 and 2.1, and Trustix Secure Enterprise Linux 2;
and OpenPKG CURRENT and OpenPKG 2.0.
OpenOffice has been reported to be vulnerable due to format-string bugs
neon WabDAV client library that can, under some conditions, be exploited
by a remote attacker to execute arbitrary code on the client with the permissions
of the user running OpenOffice.
Users of OpenOffice should upgrade to a version that has been linked against
neon library with a version of 0.24.5 or newer. Red Hat has released a repaired
package of OpenOffice for Red Hat Linux 9.
libpng library contains functions used to create and manipulate PNG (Portable
Network Graphics) image files. A carefully crafted PNG file can be created that
will crash any application linked against
libpng, due to a bug in a function
that deals with error messages. This bug is not thought to be exploitable by
an attacker to execute code, but under some conditions it can be used in a denial-of-service attack.
Users should watch their vendors for an updated package that repairs this bug. Packages have been released for Red Hat Linux 9; Debian GNU/Linux; Mandrake Linux 10.0, 9.1, 9.2, Corporate Server 2.1, and Multi Network Firewall 8.2; OpenPKG CURRENT, 2.0, and 1.3; and Trustix Secure Linux 2.0 and 2.1, and Trustix Secure Enterprise Linux 2.
The Utempter utility is used by unprivileged applications to update the utmp and wtmp log files. A directory traversal bug has been discovered in Utempter that can be used by a local attacker to overwrite arbitrary files using a symbolic-link-based attack. As Utempter runs with root permissions, the files will be overwritten as if the attacker were root.
Any system with Utempter installed needs to have Utempter upgraded as soon as possible,
libutempter-1.1.1 or newer. Repaired versions of Utempter have been released
for Slackware Linux 9.1 and Red Hat Linux 9.
Also in Security Alerts:
rsync, a faster and more flexible replacement for
rcp that provides incremental
file transfers, is reported to be vulnerable to an attack that, under some conditions,
can be used by an attacker to write files outside of the expected path.
All users of
rsync should upgrade to version 2.6.1 or newer as soon as possible.
Packages containing a repaired and updated version of
rsync have been released
for Trustix Secure Linux 1.5, 2.0, and 2.1, and Trustix Secure Enterprise Linux 2.
LHA is a compression and archive-creation tool that uses the LHarc format. Buffer overflows and a directory traversal bug have been found in LHA that can potentially be used by a remote attacker to execute arbitrary code or write arbitrary files with the permissions of the user who opens a carefully crafted LHarc-format archive.
In most cases, users should not open any LHarc-formatted archives until they have upgraded LHA to a safe version.
X-Chat is an IRC (Internet Relay Chat) client that runs under the X Window System and can use the GTK+ toolkit or Gnome. A buffer overflow has been found in the X-Chat code that handles Socks-5 proxies. If a user connects to a proxy server controlled by an attacker, the attacker can exploit X-Chat to execute arbitrary code with the permissions of the user. The buffer overflow affects X-Chat versions 1.8.0 through 2.0.8 if the user connects through Socks-5 proxy server.
It is recommended that affected users should stop using untrusted Socks-5 proxy servers until they have either applied a patch available from XChat.org or upgraded X-Chat. Red Hat has released a repaired package for Red Hat Linux 9.
sysklogd logging daemon contains a bug that can be used by an attacker
to crash the daemon. This has only been reported as a denial-of-service type of
attack, and it is not known if this vulnerability can be exploited to execute
arbitrary code. The
sysklogd package contains the
syslogd daemon is an improved version of the Berkeley
syslogd daemon, and
klogd daemon handles kernel messages.
Every user of the
sysklogd package should upgrade to a repaired version as
soon as possible. Mandrake Linux has released a repaired version of the
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the LinuxDevCenter.com.
Copyright © 2009 O'Reilly Media, Inc.