Linux DevCenter    
 Published on Linux DevCenter (
 See this if you're having trouble printing code examples

Security Alerts

zlib Compression Library Bug


Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at a bug in the zlib compression library; buffer overflows in efingerd and many RADIUS servers; and problems in CVS, rsync, PureTLS, xtux, SMS Server Tools, and GNU fileutils.

zlib Compression Library

The zlib compression library is used by hundreds of applications to provide compression and uncompression functions. It has a flaw that can corrupt the data structures of the malloc function call and possibly be used in a denial-of-service attack, to view arbitrary data, or, under some circumstances, to execute arbitrary code. Libraries and any software statically linked to a library that are based on version 1.1.3 or earlier of zlib are vulnerable to this flaw.

Software that has been reported to be affected by this flaw (statically linked to code from a vulnerable version of the zlib library) include: the Linux Kernel, gpg, rsync, cvs, rrdtool, freeamp, Netscape, vnc, ssh-1.2.33, ssh-3.1.0, gcc 3.0, gcc-2.96, mirrordir, ppp, chromium, HDF, XFree86, rpm, libdiffie, flash, qt-embedded, pngcrush, librpm, popt, cpp, libstdc++, libgcj, xterm, abiword, Adobe Acrobat, Apache, dictd, evolution, MS Office, IE, DirectX, and many more. A longer list of applications that are reported to be vulnerable is available from

Users should upgrade the zlib system libraries as soon as possible to version 1.1.4, and should upgrade any software based on, or linked to, version 1.1.3 or earlier of zlib. Many vendors have released updates for the library and collections of statically linked applications.


Concurrent Versions System (CVS), a version control system, is vulnerable under some conditions to a remote denial-of-service attack that will crash pserver. Versions of CVS through 1.11 also contain a vulnerable version of the zlib library and under some conditions may also be remotely vulnerable to an attack using the zlib vulnerability.

Affected users should watch their vendor for an updated version and should consider removing remote access to CVS servers until it has been repaired.

RADIUS Servers

Many RADIUS servers are vulnerable to a buffer overflow and a design flaw that can be used in a denial-of-service attack. If the attacker knows the shared secret, it is possible to exploit the buffer overflow to execute arbitrary code with the permissions of the user under which the RADIUS server is executing (often root). The denial-of-service attack is in code that does not properly validate the length of specific attributes.

Servers affected by the buffer overflow include (all earlier versions are also affected): Ascend RADIUS version 1.16, Cistron RADIUS version 1.6.4, FreeRADIUS version 0.3, GnuRADIUS version 0.95, ICRADIUS version 0.18.1, Livingston RADIUS version 2.1, RADIUS (also called Lucent RADIUS) version 2.1, RADIUSClient version 0.3.1, YARD RADIUS 1.0.19, and XTRADIUS 1.1-pre1.

Related Reading

Linux Network Administrator's Guide
By Olaf Kirch, Terry Dawson

Servers affected by the denial-of-service attack include (all earlier version are also affected): Cistron RADIUS version 1.6.5, FreeRADIUS version 0.3, ICRADIUS version 0.18.1, Livingston RADIUS version 2.1, YARD RADIUS 1.0.19, and XTRADIUS 1.1-pre1.

It is recommended that affected users upgrade to a repaired version of their RADIUS server and protect the server from unauthorized connections with a firewall.


There is a bug in rsync that can cause it to not drop group permissions when it changes to configured user and group IDs. rsync is also vulnerable to the zlib bug.

Users should upgrade rsync to version 2.5.4 or newer as soon as possible.


efingerd is a customizable finger daemon. Version 1.3 is vulnerable to a buffer overflow that can be remotely exploited to execute arbitrary code with the permissions of the user running efingerd (usually the user nobody). Versions 1.3 and 1.6.1 have a feature that can be used by a local user to connect to the machine and execute arbitrary commands as the user that is executing efingerd.

The feature can be turned off using the -u option. Users should watch for an updated version that repairs the buffer overflow and should consider disabling efingerd until it has been updated.


The maintainers of PureTLS have announced that an unspecified vulnerability in all versions prior to PureTLS 0.9b2 was discovered during an internal audit. PureTLS is a pure Java implementation of SSLv3/TLS.

They strongly recommend that all users upgrade to version PureTLS 0.9b2 or newer as soon as possible.


The server portion of the game xtux is vulnerable to a denial-of-service attack that can cause it to use large amounts of CPU time.

Users should watch for an update and should consider setting up firewall rules to restrict who is allowed to connect to the xtux server.

GNU fileutils

Under some conditions, a race condition in GNU fileutils can be used by a local attacker to cause users to remove unexpected files. This is caused by a insecure chdir("..") system call being used to return to higher level directories during a recursive remove (rm -rf, for example).

A patch has been released for the 4.1.6 development version. Users should watch their vendor for an updated file utilities package.

SMS Server Tools

The SMS Server Tools package contains applications that are used to send short messages using GSM modems. Versions of SMS Server Tools before version 1.4.8 are vulnerable to string-format bugs that can be exploited to execute arbitrary commands with the permissions of the user executing smsd.

It is recommended that users upgrade to version 1.4.8 of the SMS Server Tools as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.