Linux DevCenter    
 Published on Linux DevCenter (
 See this if you're having trouble printing code examples

Security Alerts Kernel Trouble

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, AMD64 Linux kernels, XFree86, slocate, mod_python, susehelp, mutt, metamail, Mailmgr, PWLib, clamav, and NetBSD's Racoon IKE Daemon.

Linux Kernel

A new vulnerability has been discovered in the Linux kernel that can be exploited by a local attacker to gain root permissions or used as a denial-of-service attack. The vulnerability is located in the memory management code of the mremap() function call, and is related to (but not the same as) the memory-management vulnerability in the Linux kernel that was reported earlier this year. A script to automate the exploitation of this vulnerability has been released to the public.

Repaired Linux kernel packages have been released for SuSE Linux 8.1, 8.2, and 9.0; Red Hat Linux 9; Debian GNU/Linux 3.0 alias woody; Slackware 9.1 and -current; Conectiva Linux, and Trustix Secure Linux.

AMD64 Linux Kernel

The ptrace emulation code for AMD64 machines when using eflags may, under some conditions, be vulnerable to an attack that can result in the attacker gaining root permissions.

Affected users should watch their vendors for a repaired kernel package.

Learning Lab TigerLinux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.


XFree86 is vulnerable to a buffer overflow in the ReadFontAlias() function and to other security-related bugs that can be used under some conditions by a local attacker to execute arbitrary code with root permissions. To exploit the ReadFontAlias() vulnerability, the attacker creates a font.alias file that is constructed so as to overflow a buffer in the function.

Users should watch for a repaired XFree86 package from their vendors. It should be noted that some vendors have talked about forking XFree86 due to a change in XFree86's license. Repaired packages have been released for Mandrake Linux 9.0, 9.1, 9.2, and Corporate Server 2.1; Conectiva Linux; Debian Linux; and Immunix OS 7.3.


Apache is vulnerable to a remote denial-of-service attack when the mod_python module is installed and processes a specific query string.

Users should watch their vendors for a repaired version of mod_python.


slocate is a version of the locate command that is designed to be more secure. slocate is vulnerable to a buffer overflow that can be exploited by a local attacker by creating a carefully crafted slocate database. Exploiting this vulnerability on many systems will gain the attacker permissions of the slocate group.

Fedora Legacy has released back-ported patches for Red Hat Linux 7.2, 7.3, and 8.0; Red Hat has released an updated package for Red Hat Linux 9.0; Mandrake has updated its packages for Mandrake 9.1, 9.2, 9.2/AMD64, and Corporate Server 2.1; Debian GNU/Linux 3.0 has been updated; and Trustix Secure Linux has been patched.


The susehelp package distributed with SuSE Linux 9.0 contains CGI scripts that are vulnerable to an attack that can be used by a remote attacker to execute arbitrary code with the wwwrun user's permissions.

SuSE has released new susehelp packages that resolve this problem.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble


The mutt mail client is reported to be vulnerable to a remotely exploitable buffer overflow. The buffer overflow is triggered by a carefully crafted email message that will crash mutt and may result in arbitrary code being executed with the permissions of the user running mutt.

Users should upgrade to a repaired version of mutt as soon as possible. Repaired packages have been announced for Mandrake Linux 9.1, 9.2, and Corporate Server 2.1.


metamail, a utility to decode MIME (Multipurpose Internet Mail Extensions)-encoded mail, is reported to be vulnerable to multiple buffer overflows and format-string vulnerabilities. These vulnerabilities may be exploitable, under some conditions, by a carefully crafted MIME email message. metamail is generally not invoked directly by the user but instead is invoked by some news readers and email clients (tin and elm, for example).

Affected users should watch for a repaired version of metamail.


Mailmgr is a HTML report generator for sendmail log files. Mailmgr is vulnerable to a trivially exploitable symbolic-link race condition that can be used by a local attacker to overwrite arbitrary files on the system with the permissions of the user running Mailmgr. In many cases, Mailmgr will be running as the root user, and this vulnerability can be used as part of a denial of system attack.

It is recommended that Mailmgr be configured with the temporary_dir configuration option (in the mailmgr.conf file) to use a protected directory for its temporary files.


PWLib is a library that supports the OpenH323 project and provides a version of the ITU H.323 teleconferencing protocol, used by Gnome Meeting and other applications. Versions of PWLib prior to 1.6.0 contain bugs that can be used by a remote attacker in a denial-of-service attack against the application linked to PWLib.

Anyone using teleconferencing software linked with the PWLib library should upgrade it to version 1.6.0 or newer.


Version 0.65 of the clamav anti-virus toolkit is reported to be vulnerable to a buffer overflow that can be exploited remotely with a uuencoded email message. The problem is in a function contained in the libclamav that calculates the line length of an uuencoded message.

Users should upgrade to version 0.67 of clamav as soon as possible.

Racoon IKE Daemon

NetBSD's Racoon IKE (Internet Key Exchange) daemon has a flaw that can be abused by a remote attacker to remove authorized keys or shut down the ISAKMP SA channel and cause a denial-of-service condition.

NetBSD IPSec should upgrade to the new Racoon package as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the

Copyright © 2009 O'Reilly Media, Inc.