oreilly.comSafari Books Online.Conferences.


Security Alerts

Mozilla and Firefox Flaws

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in gzip, Mozilla and Firefox,, the FreeBSD kernel, Ethereal, TCPDump, libTIFF, Smail, Apache2's htdigest, and SCO UnixWare's chroot.


gzip and gunzip are reported to be vulnerable to a race-condition-based attack during the setting of file permissions. They also have a bug in the way filenames are handled. The zgrep utility is reported to not properly deal with command-line arguments. Successfully exploiting these vulnerabilities could result in arbitrary files being overwritten, permissions being changed, or possibly, in arbitrary commands being executed.

All users should watch their vendors for a repaired version of gzip and related tools.

Mozilla and Firefox

Several bugs and flaws in the Mozilla and Firefox web browsers have been announced recently. Examples of these bugs and flaws include: a web site could define a favicon as JavaScript and execute code when it is retrieved; and under some conditions; pop-up windows could be opened with increased permissions that could be abused to install and execute arbitrary code with the victim's permissions.

All users of Mozilla or Firefox should watch their vendors for a repaired version of their browser.

A buffer overflow in the StgCompObjStream::Load() function of may be exploitable, under some conditions, to execute arbitrary code with the permissions of the user running OpenOffice. The buffer overflow can be triggered when the victim opens a carefully crafted .doc file with The buffer overflow affects version 1.1.4 and earlier and version 2.0beta and earlier.

It is recommended that all users of upgrade to version 1.9.95 when it becomes available or apply the currently available patch for version 1.1.4. Beta users should upgrade to the latest beta release. All users should exercise care when opening files from untrusted sources.

FreeBSD Kernel

Problems in the i386_get_ldt() function in the FreeBSD kernel may, under some conditions, be exploitable by a local user to view unauthorized pieces of kernel memory. This kernel memory could contain sensitive information such as user passwords.

User should upgrade to the latest version of the FreeBSD branch they are using.


Ethereal is an open source network sniffer that can inspect and dissect more than 600 network protocols. A buffer overflow in the SIP dissector is vulnerable to a remote attacker who sends a carefully crafted packet that is processed by Ethereal either directly from the network it is monitoring, or by processing a file recorded earlier. A program to automate the exploitation of this vulnerability has been released to the public.

In addition, problems in the following dissectors have been reported: ANSI A, GSM MAP, AIM, DISTCC, FCELS, KINK, LMP, Telnet, TZSP, WSP, 802.3 slow protocols, BER, SMB Mailslot, H.245, Bittorrent, SMB, Fibre Channel, DICOM, MGCP, RSVP, DHCP, SRVLOC, EIGRP, ISIS, CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified, X.509, NDPS, Q.931, IAX2, ICEP, MEGACO, DLSW, RPC, NCP, RADIUS, GSM, SMB PIPE, L2TP, SMB NETLOGON, MRDISC, ISUP, LDAP, TCAP, NTLMSSP, and Presentation.

It is strongly recommended that users upgrade to Ethereal version 0.10.11 or newer as soon as possible.


The network sniffer TCPDump is reported to be vulnerable several to denial-of-service attacks based on bugs in the code TCPDump uses to handle ISIS, BGP, LDP, and RSVP packets.

Users should watch their vendors for an updated version of TCPDump.


libTIFF is a programming library that provides support for reading and manipulating Tag Image File Format (TIFF) images. A bug in the library may be exploitable by an attacker who creates a carefully crafted TIFF image with a malformed BitsPerSample tag that the victim views with any application linked with the libTIFF library.

Users should upgrade to libTIFF version 3.7.2 or newer.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble


The mail transport agent Smail is vulnerable to a buffer overflow that may be exploitable under certain conditions by a remote attacker to execute arbitrary code with root permissions. This buffer overflow affects version of Smail and earlier. Code to automate the exploitation of this buffer overflow on some platforms has been released to the public.

Affected users should watch their vendors for a repaired version.

Apache 2 htdigest

The htdigest utility distributed with Apache 2 is reported to be vulnerable to a buffer-overflow-based attack. The buffer overflow is reported to be in code that handles the user and realm arguments. In most cases, this buffer overflow is not exploitable for any gain in permissions. An example of a vulnerable system would be one where the htdigest utility is executable from a CGI script. A remote attacker could then exploit the buffer overflow and execute code with the permissions of the user account running the web server. htdigest is used to create and update the files used in digest authentication of HTTP users.

Affected users should disable the htdigest utility or prevent it from being executed by a remote user until it has been repaired.

SCO UnixWare chroot

SCO has announced a vulnerability in UnixWare's chroot jail that can be exploited by an attacker to escape the restrictions of chroot. No details were provided by SCO other than the vulnerability affects SCO's OpenServer 5.0.6 and 5.0.7.

SCO has released a patch for OpenServer 5.0.6 and 5.0.7.


The GNU project's GnuTLS library provides support for the TLS 1.0 and SSL 3.0 protocols. A bug in the record-packet-parsing functionality of the GnuTLS library may be exploitable by an attacker in a denial-of-service attack against an application linked with the library. There is also a bug reported in the RSA key export code.

Users should upgrade to either GnuTLS version 1.2.3 or 1.0.25.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: