zlib Compression Library Bug03/18/2002
Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at a bug in the
compression library; buffer overflows in
efingerd and many RADIUS servers; and problems in CVS,
xtux, SMS Server Tools, and GNU
- zlib Compression Library
- RADIUS Servers
- GNU fileutils
- SMS Server Tools
zlib compression library is used by hundreds of applications to
provide compression and uncompression functions. It has a flaw that
can corrupt the data structures of the
malloc function call and
possibly be used in a denial-of-service attack, to view
arbitrary data, or, under some circumstances, to execute arbitrary code.
Libraries and any software statically linked to a library that are
based on version 1.1.3 or earlier of
zlib are vulnerable to this
Software that has been reported to be affected by this flaw
(statically linked to code from a vulnerable version of the
library) include: the Linux Kernel,
chromium, HDF, XFree86,
abiword, Adobe Acrobat, Apache,
evolution, MS Office, IE,
DirectX, and many more. A longer list of applications that are
reported to be vulnerable is available from http://www.gzip.org/zlib/apps.html.
Users should upgrade the
zlib system libraries as soon as possible to
version 1.1.4, and should upgrade any software based on, or linked to,
version 1.1.3 or earlier of
zlib. Many vendors have released updates
for the library and collections of statically linked applications.
Concurrent Versions System (CVS), a version control system, is
vulnerable under some conditions to a remote denial-of-service
attack that will crash
pserver. Versions of CVS through 1.11 also
contain a vulnerable version of the
zlib library and under some
conditions may also be remotely vulnerable to an attack using the
Affected users should watch their vendor for an updated version and should consider removing remote access to CVS servers until it has been repaired.
Many RADIUS servers are vulnerable to a buffer overflow and a design flaw that can be used in a denial-of-service attack. If the attacker knows the shared secret, it is possible to exploit the buffer overflow to execute arbitrary code with the permissions of the user under which the RADIUS server is executing (often root). The denial-of-service attack is in code that does not properly validate the length of specific attributes.
Servers affected by the buffer overflow include (all earlier versions are also affected): Ascend RADIUS version 1.16, Cistron RADIUS version 1.6.4, FreeRADIUS version 0.3, GnuRADIUS version 0.95, ICRADIUS version 0.18.1, Livingston RADIUS version 2.1, RADIUS (also called Lucent RADIUS) version 2.1, RADIUSClient version 0.3.1, YARD RADIUS 1.0.19, and XTRADIUS 1.1-pre1.
Servers affected by the denial-of-service attack include (all earlier version are also affected): Cistron RADIUS version 1.6.5, FreeRADIUS version 0.3, ICRADIUS version 0.18.1, Livingston RADIUS version 2.1, YARD RADIUS 1.0.19, and XTRADIUS 1.1-pre1.
It is recommended that affected users upgrade to a repaired version of their RADIUS server and protect the server from unauthorized connections with a firewall.
There is a bug in
rsync that can cause it to not drop group permissions
when it changes to configured user and group IDs.
rsync is also
vulnerable to the
Users should upgrade
rsync to version 2.5.4 or newer as soon as
efingerd is a customizable
finger daemon. Version 1.3 is vulnerable
to a buffer overflow that can be remotely exploited to execute
arbitrary code with the permissions of the user running
(usually the user
nobody). Versions 1.3 and 1.6.1 have a feature that
can be used by a local user to connect to the machine and execute
arbitrary commands as the user that is executing
The feature can be turned off using the
-u option. Users should
watch for an updated version that repairs the buffer overflow and
should consider disabling
efingerd until it has been updated.
The maintainers of PureTLS have announced that an unspecified vulnerability in all versions prior to PureTLS 0.9b2 was discovered during an internal audit. PureTLS is a pure Java implementation of SSLv3/TLS.
They strongly recommend that all users upgrade to version PureTLS 0.9b2 or newer as soon as possible.
The server portion of the game
xtux is vulnerable to a denial-of-service attack that can cause it to use large amounts of CPU time.
Users should watch for an update and should consider setting up
firewall rules to restrict who is allowed to connect to the
Under some conditions, a race condition in GNU
fileutils can be used by a local attacker to cause users to remove unexpected files. This
is caused by a insecure
chdir("..") system call being used to return to
higher level directories during a recursive remove (
rm -rf, for
A patch has been released for the 4.1.6 development version. Users should watch their vendor for an updated file utilities package.
The SMS Server Tools package contains applications that are used to
send short messages using GSM modems. Versions of SMS Server Tools
before version 1.4.8 are vulnerable to string-format bugs that can be
exploited to execute arbitrary commands with the permissions of the
It is recommended that users upgrade to version 1.4.8 of the SMS Server Tools as soon as possible.
Read more Security Alerts columns.
Return to the Linux DevCenter.