Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, AMD64 Linux kernels, XFree86,
metamail, Mailmgr, PWLib,
clamav, and NetBSD's Racoon IKE Daemon.
- Linux Kernel
- AMD64 Linux Kernel
- Racoon IKE Daemon
A new vulnerability has been discovered in the Linux kernel that can be exploited by a local attacker to gain root permissions or used as a denial-of-service attack. The vulnerability is located in the memory management code of the
mremap() function call, and is related to (but not the same as) the memory-management vulnerability in the Linux kernel that was reported earlier this year. A script to automate the exploitation of this vulnerability has been released to the public.
Repaired Linux kernel packages have been released for SuSE Linux 8.1, 8.2, and 9.0; Red Hat Linux 9; Debian GNU/Linux 3.0 alias woody; Slackware 9.1 and -current; Conectiva Linux, and Trustix Secure Linux.
AMD64 Linux Kernel
ptrace emulation code for AMD64 machines when using
eflags may, under some conditions, be vulnerable to an attack that can result in the attacker gaining root permissions.
Affected users should watch their vendors for a repaired kernel package.
|Linux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.|
XFree86 is vulnerable to a buffer overflow in the
ReadFontAlias() function and to other security-related bugs that can be used under some conditions by a local attacker to execute arbitrary code with root permissions. To exploit the
ReadFontAlias() vulnerability, the attacker creates a font.alias file that is constructed so as to overflow a buffer in the function.
Users should watch for a repaired XFree86 package from their vendors. It should be noted that some vendors have talked about forking XFree86 due to a change in XFree86's license. Repaired packages have been released for Mandrake Linux 9.0, 9.1, 9.2, and Corporate Server 2.1; Conectiva Linux; Debian Linux; and Immunix OS 7.3.
Apache is vulnerable to a remote denial-of-service attack when the
mod_python module is installed and processes a specific query string.
Users should watch their vendors for a repaired version of
slocate is a version of the
locate command that is designed to be more secure.
slocate is vulnerable to a buffer overflow that can be exploited by a local attacker by creating a carefully crafted
slocate database. Exploiting this vulnerability on many systems will gain the attacker permissions of the
Fedora Legacy has released back-ported patches for Red Hat Linux 7.2, 7.3, and 8.0; Red Hat has released an updated package for Red Hat Linux 9.0; Mandrake has updated its packages for Mandrake 9.1, 9.2, 9.2/AMD64, and Corporate Server 2.1; Debian GNU/Linux 3.0 has been updated; and Trustix Secure Linux has been patched.
susehelp package distributed with SuSE Linux 9.0 contains CGI scripts that are vulnerable to an attack that can be used by a remote attacker to execute arbitrary code with the
wwwrun user's permissions.
SuSE has released new
susehelp packages that resolve this problem.
Also in Security Alerts:
mutt mail client is reported to be vulnerable to a remotely exploitable buffer overflow. The buffer overflow is triggered by a carefully crafted email message that will crash
mutt and may result in arbitrary code being executed with the permissions of the user running
Users should upgrade to a repaired version of
mutt as soon as possible. Repaired packages have been announced for Mandrake Linux 9.1, 9.2, and Corporate Server 2.1.
metamail, a utility to decode MIME (Multipurpose Internet Mail Extensions)-encoded mail, is reported to be vulnerable to multiple buffer overflows and format-string vulnerabilities. These vulnerabilities may be exploitable, under some conditions, by a carefully crafted MIME email message.
metamail is generally not invoked directly by the user but instead is invoked by some news readers and email clients (
elm, for example).
Affected users should watch for a repaired version of
Mailmgr is a HTML report generator for
sendmail log files. Mailmgr is vulnerable to a trivially exploitable symbolic-link race condition that can be used by a local attacker to overwrite arbitrary files on the system with the permissions of the user running Mailmgr. In many cases, Mailmgr will be running as the root user, and this vulnerability can be used as part of a denial of system attack.
It is recommended that Mailmgr be configured with the
temporary_dir configuration option (in the mailmgr.conf file) to use a protected directory for its temporary files.
PWLib is a library that supports the OpenH323 project and provides a version of the ITU H.323 teleconferencing protocol, used by Gnome Meeting and other applications. Versions of PWLib prior to 1.6.0 contain bugs that can be used by a remote attacker in a denial-of-service attack against the application linked to PWLib.
Anyone using teleconferencing software linked with the PWLib library should upgrade it to version 1.6.0 or newer.
Version 0.65 of the
clamav anti-virus toolkit is reported to be vulnerable to a buffer overflow that can be exploited remotely with a
uuencoded email message. The problem is in a function contained in the lib
clamav that calculates the line length of an
Users should upgrade to version 0.67 of
clamav as soon as possible.
Racoon IKE Daemon
NetBSD's Racoon IKE (Internet Key Exchange) daemon has a flaw that can be abused by a remote attacker to remove authorized keys or shut down the ISAKMP SA channel and cause a denial-of-service condition.
NetBSD IPSec should upgrade to the new Racoon package as soon as possible.
Read more Security Alerts columns.
Return to the LinuxDevCenter.com.