Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at a bug in the zlib
compression library; buffer overflows in efingerd and many RADIUS servers; and problems in CVS, rsync, PureTLS, xtux, SMS Server Tools, and GNU fileutils.
The zlib compression library is used by hundreds of applications to
provide compression and uncompression functions. It has a flaw that
can corrupt the data structures of the malloc function call and
possibly be used in a denial-of-service attack, to view
arbitrary data, or, under some circumstances, to execute arbitrary code.
Libraries and any software statically linked to a library that are
based on version 1.1.3 or earlier of zlib are vulnerable to this
flaw.
Software that has been reported to be affected by this flaw
(statically linked to code from a vulnerable version of the zlib
library) include: the Linux Kernel, gpg, rsync, cvs, rrdtool, freeamp,
Netscape, vnc, ssh-1.2.33, ssh-3.1.0, gcc 3.0, gcc-2.96, mirrordir,
ppp, chromium, HDF, XFree86, rpm, libdiffie, flash,
qt-embedded, pngcrush, librpm, popt, cpp, libstdc++, libgcj, xterm,
abiword, Adobe Acrobat, Apache, dictd, evolution, MS Office, IE,
DirectX, and many more. A longer list of applications that are
reported to be vulnerable is available from http://www.gzip.org/zlib/apps.html.
Users should upgrade the zlib system libraries as soon as possible to
version 1.1.4, and should upgrade any software based on, or linked to,
version 1.1.3 or earlier of zlib. Many vendors have released updates
for the library and collections of statically linked applications.
Concurrent Versions System (CVS), a version control system, is
vulnerable under some conditions to a remote denial-of-service
attack that will crash pserver. Versions of CVS through 1.11 also
contain a vulnerable version of the zlib library and under some
conditions may also be remotely vulnerable to an attack using the zlib
vulnerability.
Affected users should watch their vendor for an updated version and should consider removing remote access to CVS servers until it has been repaired.
Many RADIUS servers are vulnerable to a buffer overflow and a design flaw that can be used in a denial-of-service attack. If the attacker knows the shared secret, it is possible to exploit the buffer overflow to execute arbitrary code with the permissions of the user under which the RADIUS server is executing (often root). The denial-of-service attack is in code that does not properly validate the length of specific attributes.
Servers affected by the buffer overflow include (all earlier versions are also affected): Ascend RADIUS version 1.16, Cistron RADIUS version 1.6.4, FreeRADIUS version 0.3, GnuRADIUS version 0.95, ICRADIUS version 0.18.1, Livingston RADIUS version 2.1, RADIUS (also called Lucent RADIUS) version 2.1, RADIUSClient version 0.3.1, YARD RADIUS 1.0.19, and XTRADIUS 1.1-pre1.
|
Related Reading 
Linux Network Administrator's Guide |
Servers affected by the denial-of-service attack include (all earlier version are also affected): Cistron RADIUS version 1.6.5, FreeRADIUS version 0.3, ICRADIUS version 0.18.1, Livingston RADIUS version 2.1, YARD RADIUS 1.0.19, and XTRADIUS 1.1-pre1.
It is recommended that affected users upgrade to a repaired version of their RADIUS server and protect the server from unauthorized connections with a firewall.
There is a bug in rsync that can cause it to not drop group permissions
when it changes to configured user and group IDs. rsync is also
vulnerable to the zlib bug.
Users should upgrade rsync to version 2.5.4 or newer as soon as
possible.
efingerd is a customizable finger daemon. Version 1.3 is vulnerable
to a buffer overflow that can be remotely exploited to execute
arbitrary code with the permissions of the user running efingerd
(usually the user nobody). Versions 1.3 and 1.6.1 have a feature that
can be used by a local user to connect to the machine and execute
arbitrary commands as the user that is executing efingerd.
The feature can be turned off using the -u option. Users should
watch for an updated version that repairs the buffer overflow and
should consider disabling efingerd until it has been updated.
The maintainers of PureTLS have announced that an unspecified vulnerability in all versions prior to PureTLS 0.9b2 was discovered during an internal audit. PureTLS is a pure Java implementation of SSLv3/TLS.
They strongly recommend that all users upgrade to version PureTLS 0.9b2 or newer as soon as possible.
The server portion of the game xtux is vulnerable to a denial-of-service attack that can cause it to use large amounts of CPU time.
Users should watch for an update and should consider setting up
firewall rules to restrict who is allowed to connect to the xtux
server.
Under some conditions, a race condition in GNU fileutils can be used by a local attacker to cause users to remove unexpected files. This
is caused by a insecure chdir("..") system call being used to return to
higher level directories during a recursive remove (rm -rf, for
example).
A patch has been released for the 4.1.6 development version. Users should watch their vendor for an updated file utilities package.
The SMS Server Tools package contains applications that are used to
send short messages using GSM modems. Versions of SMS Server Tools
before version 1.4.8 are vulnerable to string-format bugs that can be
exploited to execute arbitrary commands with the permissions of the
user executing smsd.
It is recommended that users upgrade to version 1.4.8 of the SMS Server Tools as soon as possible.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.