Linux DevCenter    
 Published on Linux DevCenter (
 See this if you're having trouble printing code examples

Security Alerts

Problems in GProFTPD

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in GProFTPD, bsmtpd, Uim, phpMyAdmin, Vim, Cyrus IMAPd, the Kodak Color Management System on Solaris, Arkeia Network Backup, curl, and PuTTY.


GProFTPD is a administration utility based on GTK+ for the ProFTPD FTP Daemon. Problems in the gprostats log-parsing tool distributed with GProFTPD can be exploited, under some conditions, by a remote attacker using a format-string-based attack and could result in arbitrary code being executed on the victim's machine.

It is recommended that users of GProFTPD upgrade to version 8.1.9.


bsmtpd, a batch emailer that works with sendmail and postfix, is reported to not properly sanitize email addresses parsed during mail delivery. An attacker could carefully create a list of email addresses that would exploit this problem and cause arbitrary commands to be executed as the user running bsmtpd.

Users of bsmtpd should watch their vendors for a repaired version.


The multilingual input method library Uim improperly trusts all environmental variables. If Uim is linked into a set user id application, an attacker can exploit this problem and execute arbitrary code with the permissions of the user account running the application. The only set user id application that is reported to be vulnerable is immodule for Qt-enabled QT applications. This problem affects all versions of Uim except and 0.4.6beta1.

It is recommended that all affected users of Uim upgrade to version or newer as soon as possible.


The web-based MySQL database administration tool phpMyAdmin contains file inclusion bugs that, if exploited, allow the attacker to load and view arbitrary files. phpMyAdmin is also vulnerable to cross-site scripting attacks. The file inclusion bugs are located in the files css/phpmyadmin.css.php and libraries/database_interface.lib.php. These problems affect version 2.6.1 of phpMyAdmin.

All users of phpMyAdmin should upgrade to version phpMyAdmin 2.6.1-pl3 or newer as soon as possible and should insure that phpMyAdmin is protected from unauthorized access using a .htaccess file or other security methods.

Vim (Vi Improved)

Vim is reported to be vulnerable, under some conditions, to a temporary-file, symbolic-link-based race condition that may be exploitable to overwrite arbitrary files on the system with the permissions of the victim running Vim. The vulnerabilities are located in the tcltags and scripts supplied with Vim.

Users should watch their vendors for an updated version of Vim. Packages that repair this vulnerability and the modlines vulnerability reported in January 2005 have been released for versions of Red Hat Linux and Ubuntu Linux.

Cyrus IMAPd

The Cyrus IMAPd daemon is vulnerable to several buffer overflows that may be exploitable (by a remote attacker who is authenticated as a user or an admin) and result in arbitrary code being executed with the permissions of the user running the IMAP daemon. The buffer overflows are in the code that handles the annotate extension, the mailbox, fetchnews, the back end, and imapd. The buffer overflow in fetchnews can only be exploited by a peer news admin.

The maintainers of Cyrus IMAPd have released version 2.2.11 to repair these buffer overflows.

Kodak Color Management System

The kcms_configure command that is distributed on Sun Solaris systems as part of the Kodak Color Management System is reported to be vulnerable to a temporary-file, symbolic link race condition. This race condition can be exploited by a local attacker to overwrite arbitrary files on the system with logging information that the attacker can cause to be generated by kcms_configure by selecting an incorrect monitor profile argument. This problem affects Solaris 7,8, and 9, but not Solaris 10.

Sun has released patches to repair this problem for Solaris 7, 8, and 9 for both the SPARC and x86 platforms. If the Kodak Color Management System is not being used, other options are to remove it or to remove the set user id root bit from /usr/openwin/bin/kcms_configure.

Arkeia Network Backup

A new version of Arkeia Network Backup has been released to repair a buffer overflow that could be exploited by a remote attacker to gain root-level access to the server. Multiple scripts that automate the exploitation of this buffer overflow have been released to the public.

Arkeia strongly advises that anyone who uses Arkeia Network Backup on an untrusted network should upgrade to version 5.3.5 as soon as possible and should carefully read the Arkeia user manual's "Appendix B: System Security."


The command line tool curl is used to transfer files using Internet protocols such as HTTP, HTTPS, FTP, FTPS, Gopher, DICT, and LDAP. It also supports many methods of authenticating to remote servers. When curl is used with NT LAN Manager (NTLM) authentication, it is vulnerable to a buffer overflow. The attacker must control a remote server that the user connects to using NTLM before the buffer overflow can be exploited.

It is recommended that all users of curl and libcurl upgrade to version 7.13.1 or newer or watch their vendors for an updated package.


PuTTY, a free version of telnet and SSH for Windows and Unix machines, is reported to contain buffer overflows in the PSCP and PSFTP clients that, under some circumstances, can be exploited by a remote attacker when the victim connects to a SFTP server under the attacker's control. Successful exploitation of these buffer overflows could result in arbitrary code being executed on the victim's machine.

All users of PuTTY should upgrade to version 0.57 or newer as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to

Copyright © 2009 O'Reilly Media, Inc.