CDE Trouble

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in CDE's dtlogin, Oracle, SquirrelMail, SoX, phpMyAdmin, wvWare, Openftpd, CVSTrac, PostgreSQL's ODBC driver, PuTTY, and Citadel/UX.

Common Desktop Environment (CDE) dtlogin

The dtlogin application distributed with CDE may, under some conditions, be vulnerable to a remote attack using XDMCP packets that may result in a denial-of-service condition or in the execution of arbitrary code with root permissions.

User should watch their vendors for a repair for this vulnerability and should consider disabling XDMCP.


A reported vulnerability in the default permissions of Oracle may be exploitable by a local user who has access to the default Oracle account (in many cases, a user named oracle) to execute arbitrary code with the permissions of the root account. It has been reported that the default Oracle user owns the directory where Oracle's shared libraries are located. By replacing a shared library with a customized version, the attacker may cause arbitrary code to be executed when a set user id root binary, such as dbsnmp or nmo, is executed.

Affected users should contact Oracle for patches or recommended workarounds for this problem.


SquirrelMail is a web-based email package written in PHP4 that supports IMAP and SMTP protocols; has good support for MIME messages, address books, and folder manipulation; and renders its output in HTML 4 with no JavaScript support required. Versions 1.4.3 and earlier of SquirrelMail contain multiple cross-site scripting vulnerabilities, a SQL injection vulnerability, and a memory-exhaustion bug.

Users of SquirrelMail should upgrade to version 1.4.3a or newer as soon as possible.


The sound file conversion tool SoX is vulnerable to buffer overflows in the code that handles the header fields of .wav files. By carefully crafting a .wav file and convincing a user to process it using SoX, a remote attacker may be able to execute arbitrary code with the victim's permissions. It is reported that some versions (such as 12.17.4, 12.17.3, and 12.17.2) are vulnerable, and that others (such as 12.17.1, 12.17, and 12.16) are not.

Affected users should watch their vendors for a repaired version of SoX and exercise care when processing .wav files. The last listed release of SoX on its SourceForge page was March 23, 2003. Updated packages containing SoX have been announced by Conectiva, Red Hat, Gentoo, and Mandrake.


A vulnerability in phpMyAdmin may, under some conditions, be exploited by a remote attacker to cause phpMyAdmin to execute arbitrary PHP code with the permissions of the user account under which the web server is running. The attacker must be able to authenticate to phpMyAdmin and $cfg['LeftFrameLight'] in must be set to FALSE before the attacker can exploit this vulnerability.

All affected users of phpMyAdmin should upgrade to version 2.5.7-pl1 as soon as possible.


wvWare is a library used to load and parse Microsoft Word files under Unix. A buffer overflow has been found in code that handles the wvHandleDateTimePicture function in a document. If a victim opens a document that has been prepared by the attacker to exploit the buffer overflow, arbitrary code may be executed with the victim's permissions.

It is recommended that users upgrade their xvWare libraries as soon as possible. Updated packages have been released by Gentoo and Mandrake.


Openftpd, an open source FTP server for Unix, is reported to be have a format-string vulnerability that, under some circumstances, may result in remote shell access with the permissions of the user logged into Openftpd. This vulnerability is reported to affect Openftpd version 0.30.2 and earlier. A script to help in the exploitation of this vulnerability has been released to the public.

Users should upgrade to the latest CVS version or watch for an updated release.

PostgreSQL ODBC Driver

The PostgreSQL database server has a buffer overflow in its ODBC driver. Under some conditions, this buffer overflow can be used in a denial-of-service attack. It is not known if exploiting the buffer overflow can result in the execution of arbitrary code.

Repaired packages have been released by Mandrake and Debian. Users of other systems should watch their vendors for an update.


CVSTrac is a CVS-repository web browsing tool. A unspecified vulnerability was announced that, according to the report, can be used by a remote attacker to execute arbitrary code on the server with the permissions of the user running the web server.

It is recommended that users upgrade to version 1.1.4 of CVSTrac or watch their vendors for a repaired version. The OpenPKG Project has released a repaired CVSTrac package.


PuTTY, a free version of telnet and SSH for Windows and Unix machines, is reported to be vulnerable to a remote attack while PuTTY is authenticating to a host. Exploiting this vulnerability will allow the attacker to execute code on the victim's machine. PuTTY 0.54 and earlier versions are reported to be vulnerable.

The authors of PuTTY recommend that users upgrade to version PuTTY 0.55 as soon as possible.


Citadel/UX is a client/server groupware application that supports users connecting using telnet, web, or client software. Citadel/UX is vulnerable to a denial-of-service attack. A script to automate the denial-of-service attack has been released to the public.

The Citadel developers have placed a patch in CVS to repair this problem. In addition, this problem will be fixed in the next release of Citadel/UX.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to

Copyright © 2017 O'Reilly Media, Inc.