Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in Linux
kernels, GNU Zip,
xaos, Speak Freely,
eterm, Hangul Terminal,
zblast/xzb, and zenTrack.
Linux 2.4 kernels are vulnerable to a denial-of-service attack and a vulnerability in the
mxcsr code that can be used by an attacker to modify CPU state addresses. The denial-of-service attack uses a problem in the TTY layer code of the 2.4 Linux kernel to cause a kernel oops.
Users should watch their vendor for an updated kernel and related packages. Red Hat, Mandrake, and Debian are known to have released an updated kernel package.
A bug in the ICMP code of Linux 2.0 kernels can be exploited by a remote attacker, under some conditions, to read random pieces of memory on the machine under attack. The bug is in the code that calculates the size of the ICMP packet citation. The bug is reported to affect Linux kernels 2.0.39 and earlier. A script that automates the exploitation of this bug has been released.
Affected users should upgrade to a repaired kernel as soon as one becomes available. It has been reported (but not confirmed) that this problem will be repaired in the Linux 2.0.40 kernel.
znew shell script contained in the GNU Zip (
gzip) package is reported to be vulnerable to a symbolic-link, temporary-file race condition that can be used by a malicious user to overwrite arbitrary files with the permissions of the user executing
znew is used to convert files compressed using the utility compress to the
gzip compression format.
It is recommended that on multi-user systems
znew be disabled until a repaired
gzip package has been installed.
xaos, a real-time interactive fractal viewer written to be fast and portable, can be exploited by a local attacker to gain root permissions, when it is installed set user id root.
xaos is often installed set user id root so that it can use the features of the
Affected users should remove the set user id bit or, if the
svgalib functionality is required, make the executable only runnable by a trusted group of users.
Speak Freely is an open source, encrypted voice communications package for Unix and Windows. Speak Freely contains multiple remotely exploitable buffer overflows that can be used to execute arbitrary code; is vulnerable to a temporary-file, symbolic-link race condition that can be used by a local attacker to overwrite files on the system; and, under some conditions, can be exploited as a UDP open relay. It has been reported that Speak Freely 7.5 for Unix is completely vulnerable to these problems and that Speak Freely 7.1 for Windows and Unix is vulnerable to some of these problems.
Users should upgrade to version 7.6 of Speak Freely, which is reported to be patched against most of these problems. They should also watch for a version that repairs the remaining problems.
The terminal emulator
eterm is vulnerable to a buffer overflow in the code that handles the
ETERMPATH environment variable. This buffer overflow can be exploited by a local attacker to execute arbitrary code with the permissions under which
eterm is running.
eterm is often installed set group id
It is recommended that users disable
eterm or remove any set user id or set group id bits from
eterm until it has been replaced with a repaired version.
The Hangul Terminal emulator
hanterm is vulnerable to multiple attacks using escape sequence codes, including an attack that, under some conditions, can result in arbitrary code being executed with the victim's permissions and a denial-of-service attack against the terminal.
Users should watch their vendor for updated
It has been reported that the typing program
typespeed is vulnerable to a buffer overflow when the game is started in server mode. This can then be exploited by a remote attacker to execute arbitrary code with the permissions of the user running the game and the permissions of the games group.
It is recommended that users not start the game in server mode until it has been updated to a repaired version.
Also in Security Alerts:
mikmod has a buffer overflow that can be exploited by an attacker who crafts a archive file with a long enough file name inside of it.
Affected users should watch their vendor for a repaired version of
mikmod. Debian has released updated
kon2, a console Kanji emulator, is vulnerable to a local, exploitable buffer overflow that can result in the attacker gaining root permissions. A script to automate the exploitation of this vulnerability has been released to the public.
It is recommended that users disable
kon2 until a repaired package has been installed.
zblast/xzb is a space shooting game.
zblast is the SVGA version of the game, and
xzb is an X11 version. Both versions have a buffer overflow in the code that writes high score information, which can be exploited to execute arbitrary code with the permissions of the games group.
Affected users should disable
xzb or remove the set group id bit from the executables until it has been repaired.
zenTrack, a work-order management system written using PHP, is vulnerable to a remote attack that can be used to execute arbitrary code with the permissions of the user running the web server.
Users should watch for a repaired version and should consider protecting zenTrack from untrusted networks using a firewall.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.