Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in OpenSSH,
eldav, and PerlEdit.
- The GNU Bug-Tracking System
OpenSSH versions 3.6.1 and earlier have a bug that can be used under some conditions to bypass connection restrictions and allow users from unauthorized (or even restricted) hosts to connect. The bug may still be exploitable even when the
VeriftyReverseMapping parameter in the
sshd configuration file is set to
yes. F-Secure's SSH 1 and SSH 2 are not reported to be vulnerable to this bug.
Users should consider using a tool such as
tcp-wrappers or a firewall to provide additional host restrictions, and should watch for an update to OpenSSH.
radiusd-cistron server provides RADIUS (Remote Authentication Dial In User Service) authentication and logging to remote devices, applications, and servers. A buffer overflow in the
radiusd-cistron server's code that handles NAS numbers may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running the
radiusd-cistron server (often root).
It is recommended that users upgrade to a repaired version of
radiusd-cistron and that they consider protecting the server from unauthorized connections using a tool such as a firewall.
Ethereal, a network sniffing and analysis tool, is vulnerable to several denial-of-service attacks, a buffer overflow in the code dealing with the OSI dissector, and several other problems. A remote attacker who can send arbitrary packets onto the network that Ethereal is monitoring, or can place them into a trace file that is opened for analysis using Ethereal, can potentially execute arbitrary code with the permissions of the user running Ethereal.
Users are encouraged to upgrade to Ethereal 0.9.13 as soon as possible and should consider disabling Ethereal until it has been upgraded.
ypserv NIS server
ypserv NIS (Network Information Service) server is vulnerable to a trivial denial-of-service attack. If the attacker sends an NIS request over TCP and then does not respond to the response,
ypserv will fail to respond to all other requests. This vulnerability is reported to affect all version of
ypserv prior to 2.8.
Affected users should upgrade to version 2.8 of
ypserv as soon as possible.
lbreakout is a Breakout game for the X Window system written using the SDL library. Both the server and the client of the game are reported to be vulnerable to a format-string-based attack. In the case of the server, the vulnerability could be used by a remote attacker to execute arbitrary code with the permissions of the user running the game server. A script to automate the remote exploitation of the game has been released to the public.
Users should watch for a repaired version and should not run the vulnerable server on an untrusted network.
The GNU Bug-Tracking System
GNATS, the GNU bug-tracking system, is vulnerable to several buffer overflows that may be exploitable to execute arbitrary code with the permissions GNATS is running under (in most cases, the user
gnats or the root user). It has been reported that if the
gnats user id is not present when GNATS is installed, the installation will make the GNATS utilities set user id root. A utility for locally exploiting these buffer overflows in GNATS has been released to the public.
Users should watch for an updated version of GNATS or patches to repair these problems.
The caching FTP proxy server
frox is vulnerable during startup to a symbolic-link race condition that can be used by a local attacker to overwrite arbitrary files on the system with the permissions of the user running
Affected users should watch their vendor for an updated version.
poster takes a one-page PostScript file and scales it to an arbitrarily sized poster.
poster contains a buffer overflow that can be exploited using a carefully crafted PostScript file when the victim uses
poster to scale the image.
Users should exercise care in which PostScript files they scale using
poster, and should watch their vendor for a repaired version.
Also in Security Alerts:
emacs WebDAV (Web-based Distributed Authoring and Versioning) client is vulnerable to a symbolic-link temporary file race condition that, under some conditions, can be exploited to overwrite files on the system using the permissions of the user running
It is recommended that users upgrade to
eldav 0.7.2 as soon as
PerlEdit, an IDE for Perl and text editor that is available for Windows and Linux, is reported to be vulnerable to a denial-of-service attack that possibly could be exploited to execute code. It is reported that upon starting up, PerlEdit opens TCP port 1956, and that opening a connection to this port will cause PerlEdit to crash. This problem is reported to affect all versions of PerlEdit through 1.07.
Users should watch for updates to PerlEdit that repair this problem.
Read more Security Alerts columns.
Return to the Linux DevCenter.