oreilly.comSafari Books Online.Conferences.


Security Alerts OpenSSH 3.2.2 Released

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a new version of OpenSSH that corrects several security problems; buffer overflows in Wu-imapd, Solaris' lbxproxy, tcpdump, mpg321, lukemftp, and OpenServer sar; and problems in bzip2, FreeBSD's k5su, SuSE's shadow/pam-modules utilities, Red Hat's XML Extras Mozilla packages, and the Quake II server.

OpenSSH 3.2.2

OpenSSH 3.2.2 has been released. This new version repairs a collection of security problems, including buffer overflows in Kerberos/AFS token passing and the Kerberos client code. In addition, it no longer automatically enables Kerberos/AFS; will only accept RSA keys with a minimum size; has experimental support for privilege separation; and improves support for smartcards, Kerberos, older sftp servers, and importing old DSA keys. Users of OpenSSH are encouraged to upgrade.


Some versions of the Wu-imapd IMAP daemon created and distributed by Washington University are vulnerable to a buffer overflow that can be exploited by a remote attacker (with an account on the system) to execute arbitrary code with the permissions of the attacker's account. Systems affected by this attack would, in the most part, be those that offer email accounts but do not allow their users shell access. Only versions of Wu-imapd that are compiled with legacy RFC 1730 support are vulnerable. The precompiled Wu-imapd daemons distributed by the University of Washington for the previous year are not vulnerable.

Affected users should watch their vendor for an updated version or apply the patch released by the University of Washington.


bzip2, a file-compression utility, is vulnerable to a race condition during the time that it creates a file and then sets its permissions. The race conditon can, under some circumstances, allow a local user to read files that they should not have permission to read.

Users should watch their vendor for an repaired version.

Solaris lbxproxy

The lbxproxy application under Sun Solaris is vulnerable to a buffer overflow that can be exploited by a local attacker to execute arbitrary code. Under Solaris x86, lbxproxy is installed with a set group id bit; exploiting this buffer overflow will result in increased permissions. The Sparc version of Solaris does not install lbxproxy with any set user id or group id bits, and exploiting this vulnerability on that platform will not grant any additional permissions.

Related Reading

SSH, The Secure Shell: The Definitive Guide
By Daniel J. Barrett, Richard E. Silverman

It has been reported that patch 108653-41 repairs this vulnerability for Solaris 8 x86, that 108652-51 repairs the Sparc version of Solaris 8, and that there are patches available for Solaris 7.

FreeBSD k5su

The k5su utility, like the su utility, is used to switch to other user accounts but uses Kerberos 5 or the passwd file to authenticate. The k5su utility does not honor the wheel group restrictions when switching to the root account and does not have some of the features of su, such as checking for expired passwords, login classes, and a shell in /etc/shells. These problems can create a situation where restrictions placed on users are not being enforced.

Systems that do not need the functionality of k5su, or where the administrators find the risks unacceptable, should remove the set user id bit from k5su. Future versions of FreeBSD will install k5su if requested, but will not turn on the set user id bit by default.

Mandrake tcpdump

Mandrake has released a new tcpdump package that fixes several buffer overflows that can be exploited by an attacker to crash tcpdump and possibly execute arbitrary code.

Affected users should upgrade as soon as possible.


mpg321, a command-line MP3 player that was written as a replacement for mpg123, is vulnerable to a buffer overflow in the network streaming code that may be used by a remote attacker to execute arbitrary code. Versions of mpg321 before 0.2.9 are reported to be vulnerable.

It is recommended that users upgrade to mpg321 version 0.2.10 or newer as soon as possible.


lukemftp, an FTP client, has a buffer overflow in the code that handles the PASV command from an FTP server. This buffer overflow can be exploited by an attacker that controls a remote FTP server to execute code on the client machine with the permissions of the user executing lukemftp.

Users should watch their vendor for a repaired version of lukemftp. SuSE Linux has released updated packages that fix this problem.

SuSE shadow/pam-modules

There are bugs in the shadow/pam-modules utilities that can be exploited by a local attacker, under some conditions, to truncate the passwd or shadow file and, in the worst case, obtain root access. These bugs are reported to affect SuSE Linux version 8.0.

SuSE has released updated shadow and pam-modules packages and recommends that they be applied as soon as possible.

Red Hat's XML Extras Mozilla Packages

There is a component in the XML Extras package of Mozilla 0.9.9 and earlier that can be abused by a remote attacker to read arbitrary files and directories when Mozilla is used to view a specially-crafted Web page.

Affected users should upgrade to the updated packages.

Quake II Server

A vulnerability has been announced in Quake II servers that can be exploited to obtain sensitive information that can then be used to access information (such as directory listings) and execute any server command, some of which will create files on the server.

Users should watch for an update to the Quake II server that repairs this problem.

OpenServer sar

The sar command under OpenServer 5.0.5 is vulnerable to a buffer overflow in the -o command line parameter. This vulnerability also affects sadc, cpusar, and mpsar.

Caldera has released updated packages and recommend that users upgrade.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: