Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in the standard C library
libc and in
pServ, UnAce, Quagga, Zebra,
glibc, AKA GNU
Two security bugs have been found in the
glibc package that contains the GNU
libc standard C library. These bugs include a buffer overflow in
getgrouplist() and a problem in the kernel netlink interface.
The buffer overflow in
getgrouplist() only affects users when they have been assigned to an unusually high number of groups, but it could cause a security problem under some circumstances.
In some versions of the GNU
libc library, the function
getifaddrs() can accept spoofed kernel netlink messages and could result in a denial-of-service condition.
Red Hat has released updated
glibc packages for Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9. Users of other systems should watch their vendors for an update.
xinetd is a replacement for the
inetd superserver. A new version has been released that fixes several bugs, including a memory leak that occurs when a connection is refused by
xinetd. This memory leak could be used by a remote attacker in a denial-of-service attack against a server.
Users should upgrade to version 2.3.12 of
xinetd as soon as possible. Conectiva has released updated packages for Conectiva Linux 7.0, 8, and 9, and SuSE Linux.
hylafax, an enterprise-class, open source fax server software package used to send and facsimiles and alphanumeric pages, is vulnerable, under some conditions, to a bug that can be exploited by a remote attacker to execute arbitrary code with root permissions. The bug can only be exploited if the
0x002 bit for the
ServerTracing function is set.
ServerTracing is not turned on by default, but is commonly set during troubleshooting.
All users of
hylafax should turn off
ServerTracing and then upgrade as soon as possible to the 4.1.8 patch-level code release. Repaired packages have been released for Mandrake Linux 9.0, 9.1, 9.2, and Corporate Server 2.1; Conectiva Linux 9; and SuSE Linux 7.3, 8.0, 8.1, 8.2, and 9.0.
pico Server) is a small web server coded in C with the goal of being very portable. Version 2.0.x of
pServ is vulnerable to a remote attack that overflows a buffer and, in some circumstances, results in arbitrary code being executed with the permissions of the user running the web server. A script to automate the exploitation of this buffer overflow has been released to the public.
Users should watch for a repaired version.
UnAce, a utility to extract, view, and test the contents of an ACE archive, contains a buffer overflow in the code that handles the filenames of ACE archive files. Exploiting the buffer overflow can result in arbitrary code bring executed with the permissions of the user running UnAce. Under some conditions, exploiting this buffer overflow could lead to a vulnerability; for example, if a remote user can specify a filename for extraction with UnAce. The buffer overflow is reported affect versions of UnAce through 2.20.
Affected users should upgrade when a repaired version becomes available.
Quagga, a routing software suite (forked from Zebra) that provides implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPv3, and BGPv4 for Unix platforms, is vulnerable to a remote denial-of-service attack when the attacker can send packets to the command-line interface for the daemon. The attacker triggers the denial-of-service attack by sending a malformed packet during the
telnet negotiation phase, causing Quagga to reference a null pointer and crash. This vulnerability affects all versions of Quagga prior to version 0.96.4, and GNU Zebra.
Affected users should upgrade to Quagga version 0.96.4 as soon as possible and should consider limiting access to the command-line interface of Quagga using a tool such as a firewall. A temporary workaround for this vulnerability, under some conditions, is to add
-A 127.0.0.1 to the daemon's startup script, causing it to only accept connections from the local host. Red Hat has released an updated Zebra package that repairs this problem for Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9.
Also in Security Alerts:
terminatorX is a realtime audio synthesizer that can be used to "scratch" digitally sampled audio data, similar to the way that DJs scratch vinyl records.
terminatorX is reported to be vulnerable to three buffer overflows and a format-string bug. The buffer overflows are reported to be exploitable by a local attacker to gain root permissions. Scripts to automate the exploitation of these vulnerabilities have been released to the public. Versions of
terminatorX through 3.8.1 are reported to be vulnerable.
Users should watch for a repaired version of
terminatorX and if it is installed on a multiuser system, users should consider removing the package until it has been repaired.
omega-rpg, a text-based role playing game, is vulnerable to a buffer overflow in code that handles some environmental variables. If the game is installed with any set user or set group id bits (some distributions often install games set group id games), exploiting this buffer overflow can result in the attacker gaining additional permissions.
It is recommended that users remove any set user id and set group id bits that may be set on
omega-rpg and watch for a repaired version. Debian has released a repaired version for Debian GNU/Linux 3.0 (alias
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.