Linux and Darwin Kernel Trouble
by Noel Davis01/27/2005
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in the Linux kernel, the Darwin/Mac OS X kernel, iSync, Ethereal, enscript, hylafax, rssh, Xine-lib, mpg123,
and Konversation.
- Linux kernel
- Darwin/Mac OS X kernel
- iSync
- Ethereal
enscripthylafaxrssh- Xine-lib
mpg123- Konversation
Linux Kernel Problems
Several problems in the Linux kernel have been announced, including a locking
problem in the sys_uselib() system call that can be exploited by a local attacker
to gain root permissions, SMP kernels that contain a race condition in the SMP page
table that can be exploited by a local attacker to gain root permissions; the
vulnerability of the auditing subsystem to a denial-of-service attack that may be
exploitable to crash the machine, a bug in the 32-bit compatibility layer on
64-bit machines that could cause 32-bit applications to run incorrectly, and
a denial-of-service attack under some conditions on machines with filesystems
mounted using NFS.
All Linux users should upgrade to a repaired kernel as soon as possible. SuSE
has released updated packages for SUSE Linux Enterprise Server 8 and 9, SUSE
Linux Desktop 1.0, and Novell Linux Desktop 9.
Darwin/Mac OS X Kernel Problems
Several bugs have been reported in the Darwin kernel used by OS X 10.3 that may be used in a local denial-of-service attack, or may possibly be exploitable to execute arbitrary code with root permissions. Code to automate exploiting one of these bugs as part of a local denial-of-service attack has been released to the public.
Users should watch Apple for a update to repair these problems.
Mac OS X iSync
The mRouter utility installed with Mac OS X's iSync application is reported
to be vulnerable to a buffer overflow that may be exploitable by a local attacker
to gain root permissions. The buffer overflow is exploited using the -a and
-v command-line switches. A utility to automate the exploitation of this buffer
overflow has been released to the public.
All users should watch Apple for a update to repair these problems. Administrators
of multiuser machines should consider removing the set user id bit from /System/Library/SyncServices/SymbianConduit.bundle/Contents/Resources/mRouter until
iSync has been patched by Apple.
Ethereal
Ethereal is a graphical network protocol analyzer used for network troubleshooting, analysis, software development, protocol development, and education. A buffer overflow in the X11 dissector component of Ethereal can be exploited by a remote attacker using a carefully crafted IP packet, and could result in arbitrary code being executed with root permissions on the victim's machine.
Affected users should watch their vendors for a repaired version of Ethereal
and should consider not using it until it has been repaired.
enscript
GNU enscript, a utility used to convert plain text into PostScript, is reported
to be vulnerable to several bugs that may be exploitable to execute arbitrary
commands or to crash the program. In most cases, these bugs are only locally
exploitable, but in some cases (such as when enscript is used with viewcvs)
they may be exploitable remotely.
Users should watch their vendors for a repaired version of enscript. All affected
users should consider disabling enscript until it has been repaired. Updated
packages have been released for Debian GNU/Linux.
New Version of rssh
rssh is a restricted shell designed to be used with OpenSSH that places a
user in a chroot jail and by design only allows the remote execution of scp,
sftp-server, cvs, rdist, and rsync. Version 2.2.3 of rssh has been released
by the author and repairs a problem that, under some conditions, could result
in the execution of arbitrary commands or the execution of an uploaded shell
script. All users should upgrade as soon as possible.
hylafax
A flaw in the hylafax fax system can, under some conditions, result in an unauthorized
user gaining access. Systems with a hosts.hfaxd file that contains insufficient
host or user restrictions may allow unauthorized users or hosts access to the
fax server.
It is recommended that users upgrade as soon as possible and that they use
the hosts.hfaxd file to restrict access to hlyafax as securely as possible.
Debian, Gentoo, and Mandrake have released updated hylafax packages.
Xine-lib
Xine-lib, a video library used by the free Linux media players Xine, is reported
to be vulnerable to a buffer overflow in the pnm_get_chunk() function call
that could result in an attacker executing arbitrary code with the victim's permissions.
The authors of Xine-lib strongly recommend that users upgrade to the 1.0 release
of Xine-lib or apply the available patches.
mpg123
mpg123, a fast open source MPEG layer 1, 2, and 3 audio player for Unix systems,
is vulnerable to a buffer overflow that could be exploited by a remote attacker
using a carefully crafted MP2 or MP3 file. Successfully exploiting the buffer
overflow would cause arbitrary code to be executed with the victim's permissions.
This vulnerability affects all versions of mpg123 earlier than 0.59s-r9.
All users of mpg123 should upgrade to the newest version or to version 0.59s-r9
or newer.
Konversation
The IRC client Konversation is reported to contain several security problems, including: problems in the included Perl scripts can, under some circumstances, be exploited by a remote attacker and result in arbitrary commands being executed on the victims machine; Server::parseWildcards contains bugs that may be exploitable by a remote attacker in a denial-of-service attack against Konversation; and a design problem in the quick connection dialog could result in a user sending a password as his or her nickname.
Users should upgrade to version 0.15.1 of Konversation as soon as possible.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to LinuxDevCenter.com
