oreilly.comSafari Books Online.Conferences.


Security Alerts

PHP Problems

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in PHP, Emacs, ftpd-ssl, Lynx, Roaring Penguin pppoe, OpenVPN, RAR, Fedora Core X-Chat, HP-UX xterm, libungif4, and GpsDrive.

PHP 4.4.1

A new version of PHP has been released that fixes many bugs, including some that are security-related. Security problems repaired include: problems in the file upload code, memory corruption bugs, several possible global overwriting bugs, and a memory corruption bug.

Users of PHP 4.3 and 4.4 are encouraged to upgrade to version 4.4.1 of PHP.


Emacs will execute arbitrary Lisp code when a text file is opened with code in the local variables section of the file. This affects Emacs versions 21.2.1 and earlier.

Users should upgrade to version 21.3 of Emacs. Users should also consider adding (setq enable-local-variables nil) to their .emacs configuration file.


ftpd-ssl, an FTP server that supports SSL encryption, is reported to be vulnerable to a buffer overflow that may be exploitable by a remote attacker to execute arbitrary code with root's permissions.

Affected users should watch their vendors for a repaired version. Debian has released an updated version for sarge.


Lynx is a text-mode web browser for Unix machines. Some configurations of Lynx contain a mistake in the configuration of the lynxcgi: URL handles that may be exploited by a remote attacker to execute arbitrary commands on the victim's machine. Version 2.8.5 of Lynx is reported to be vulnerable, as are versions distributed in Red Hat Linux, Gentoo, and Mandriva. Versions of Lynx distributed with FreeBSD and OpenBSD are reported to not be vulnerable.

Users should upgrade to version 2.8.6dev.15 or newer as soon as possible. A possible workaround for this problem is to add the line TRUSTED_LYNXCGI:none to the lynx.cfg file.

Roaring Penguin pppoe

A recent security announcement claimed that if Roaring Penguin pppoe (PPP over Ethernet) is installed set user id root, it is vulnerable to a bug that can allow an attacker to overwrite arbitrary files on the system with root permissions. This security announcement is misleading, as there are no reported Linux distributions that install rp-pppoe set user id root.

David Skoll of Roaring Penguin said about this problem: "Naturally, we advise people not to run pppoe SUID-root, just as we'd advise people not to run vi or cat or sed SUID-root. The whole issue is nonsensical."


OpenVPN is a full-featured SSL VPN that runs on Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, Solaris, and Windows 2000/XP. OpenVPN is reported to be vulnerable to an attack that could result in arbitrary code being executed on the victim's machine.

All users of OpenVPN should upgrade to version 2.0.4 or newer as soon as possible.


RAR, an archiving tool that can use .zip and .rar file formats, is reported to be vulnerable to a buffer overflow and a format-string-type vulnerability that could result in arbitrary code being executed with the user's permissions. Both of these vulnerabilities are exploited through a carefully crafted archive file that the user uncompresses using RAR.

All users of RAR should upgrade to version 3.5.1 or newer as soon as possible.

Fedora Core X-Chat

X-Chat is an IRC (Internet Relay Chat) client that runs under the X Window System and uses either the GTK+ toolkit or Gnome libraries. Patches have been released for Fedora Core 1 and 2 that repair a long-standing buffer overflow in X-Chat. The buffer overflow is in the code that handles Socks-5 proxies in X-Chat and may be exploitable, under some conditions, by a remote attacker to execute arbitrary code on the victim's machine. The victim must connect to a proxy server controlled by an attacker to be vulnerable to this buffer overflow.

It is recommended that Fedora Core 1 and 2 users stop using untrusted Socks-5 proxy servers until they have upgraded their X-Chat applications.

HP-UX xterm

A unspecified security problem with xterm under HP-UX has been announced by HP. The announcement states that local users can exploit this vulnerability to gain unauthorized access. This probably indicates access to the root account. Versions B.11.00, B.11.11, and B.11.23 of HP-UX are reported to be affected.

Affected users should contact HP for more information. A suggested workaround is to use the xterm located at /usr/contrib/bin/X11R5/xterm. For example:

cp /usr/bin/X11/xterm /usr/bin/X11/xterm.nosuid
chmod 555 /usr/bin/X11/xterm.nosuid
cp /usr/contrib/bin/X11R5/xterm /usr/bin/X11/xterm


Also in Security Alerts:

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

Problems in PCRE, the Linux Kernel, and SILC

The libungif4 library is reported to be vulnerable to several attacks that could result in a denial of service or, under some conditions, in arbitrary code being executed.

Users should watch their vendors for a repaired version of the library. Debian has released a repaired version for woody, sarge, and sid.


GpsDrive is a Linux and FreeBSD application that displays your position, provided from your NMEA-capable GPS receiver on a zoomable map. It supports GPS receivers that provide access via the NMEA protocol. A format-string-based vulnerability has been reported that may be exploitable by a local attacker to execute arbitrary code.

Debian has released repaired packages for sarge and sid. Users of other distributions should watch for a repaired version.

On a personal note, this is the last Security Alerts column I will be writing for O'Reilly. It has been a pleasure working with all of the wonderful people who have edited and produced the O'Reillynet website. If you are interested in a continuation of this column in some form elsewhere, send me an email at If there is enough interest I will continue doing a weekly or biweekly security report in some form.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Security and Usability

Related Reading

Security and Usability
Designing Secure Systems that People Can Use
By Lorrie Faith Cranor, Simson Garfinkel

Read more Security Alerts columns.

Return to

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: