Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in
gzip, Mozilla and Firefox, OpenOffice.org,
the FreeBSD kernel, Ethereal, TCPDump,
libTIFF, Smail, Apache2's
htdigest, and SCO
gunzip are reported to be vulnerable to a race-condition-based attack
during the setting of file permissions. They also have a bug in the way filenames
are handled. The
zgrep utility is reported to not properly deal with command-line arguments. Successfully exploiting these vulnerabilities could result
in arbitrary files being overwritten, permissions being changed, or possibly,
in arbitrary commands being executed.
All users should watch their vendors for a repaired version of
gzip and related
All users of Mozilla or Firefox should watch their vendors for a repaired version of their browser.
A buffer overflow in the
StgCompObjStream::Load() function of OpenOffice.org
may be exploitable, under some conditions, to execute arbitrary code with the
permissions of the user running OpenOffice. The buffer overflow can be triggered
when the victim opens a carefully crafted .doc file with OpenOffice.org. The
buffer overflow affects version 1.1.4 and earlier and version 2.0beta and earlier.
It is recommended that all users of OpenOffice.org upgrade to version 1.9.95 when it becomes available or apply the currently available patch for version 1.1.4. Beta users should upgrade to the latest beta release. All users should exercise care when opening files from untrusted sources.
Problems in the
i386_get_ldt() function in the FreeBSD kernel may, under some
conditions, be exploitable by a local user to view unauthorized pieces of kernel
memory. This kernel memory could contain sensitive information such as user
User should upgrade to the latest version of the FreeBSD branch they are using.
Ethereal is an open source network sniffer that can inspect and dissect more than 600 network protocols. A buffer overflow in the SIP dissector is vulnerable to a remote attacker who sends a carefully crafted packet that is processed by Ethereal either directly from the network it is monitoring, or by processing a file recorded earlier. A program to automate the exploitation of this vulnerability has been released to the public.
In addition, problems in the following dissectors have been reported: ANSI A, GSM MAP, AIM, DISTCC, FCELS, KINK, LMP, Telnet, TZSP, WSP, 802.3 slow protocols, BER, SMB Mailslot, H.245, Bittorrent, SMB, Fibre Channel, DICOM, MGCP, RSVP, DHCP, SRVLOC, EIGRP, ISIS, CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified, X.509, NDPS, Q.931, IAX2, ICEP, MEGACO, DLSW, RPC, NCP, RADIUS, GSM, SMB PIPE, L2TP, SMB NETLOGON, MRDISC, ISUP, LDAP, TCAP, NTLMSSP, and Presentation.
It is strongly recommended that users upgrade to Ethereal version 0.10.11 or newer as soon as possible.
The network sniffer TCPDump is reported to be vulnerable several to denial-of-service attacks based on bugs in the code TCPDump uses to handle ISIS, BGP, LDP, and RSVP packets.
Users should watch their vendors for an updated version of TCPDump.
libTIFF is a programming library that provides support for reading and manipulating
Tag Image File Format (TIFF) images. A bug in the library may be exploitable
by an attacker who creates a carefully crafted TIFF image with a malformed
BitsPerSample tag that the victim views with any application linked with the
Users should upgrade to
libTIFF version 3.7.2 or newer.
Also in Security Alerts:
The mail transport agent Smail is vulnerable to a buffer overflow that may be exploitable under certain conditions by a remote attacker to execute arbitrary code with root permissions. This buffer overflow affects version 184.108.40.206 of Smail and earlier. Code to automate the exploitation of this buffer overflow on some platforms has been released to the public.
Affected users should watch their vendors for a repaired version.
htdigest utility distributed with Apache 2 is reported to be vulnerable
to a buffer-overflow-based attack. The buffer overflow is reported to be in
code that handles the user and realm arguments. In most cases, this buffer overflow
is not exploitable for any gain in permissions. An example of a vulnerable
system would be one where the
htdigest utility is executable from a CGI script.
A remote attacker could then exploit the buffer overflow and execute code with
the permissions of the user account running the web server.
htdigest is used
to create and update the files used in digest authentication of HTTP users.
Affected users should disable the
htdigest utility or prevent it from being
executed by a remote user until it has been repaired.
SCO has announced a vulnerability in UnixWare's
chroot jail that can be exploited
by an attacker to escape the restrictions of
chroot. No details were provided
by SCO other than the vulnerability affects SCO's OpenServer 5.0.6 and 5.0.7.
SCO has released a patch for OpenServer 5.0.6 and 5.0.7.
The GNU project's GnuTLS library provides support for the TLS 1.0 and SSL 3.0 protocols. A bug in the record-packet-parsing functionality of the GnuTLS library may be exploitable by an attacker in a denial-of-service attack against an application linked with the library. There is also a bug reported in the RSA key export code.
Users should upgrade to either GnuTLS version 1.2.3 or 1.0.25.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to LinuxDevCenter.com
Copyright © 2009 O'Reilly Media, Inc.