oreilly.comSafari Books Online.Conferences.


Security Alerts

Linux Buffer Overflows and an old SSH Daemon


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a Linux Kernel problem that can be used to bypass quotas; buffer overflows in Solaris's ufsrestore and Oracle Trace Collection; and problems in SSH, RWhoisd, Red Hat's printing system, Linux's iptables, Red Hat Linux's mod_auth_pgsql, Java Runtime Environment, and the Oracle binary.

Bypassing Linux Quotas

It has been reported that a bug in the Linux kernel can be exploited using almost any set user id binary to create files that exceed a user's quota limits. This bug is caused by the process having CAP_SYS_RESOURCE capability enabled during the write to the file.

Affected users should watch for a kernel patch that repairs this bug.


Under some conditions, systems that were upgraded from SSH version 1 to SSH version 2 will still have a sshd1 daemon installed. This sshd1 daemon can still be executed when an incoming old SSH version 1 client connects. If this sshd1 binary was vulnerable to an exploit, the system will still be vulnerable. It has been reported that this problem is being actively scanned for and exploited.

Systems that have the sshd1 daemon but do not use SSH version 1 should disable the daemon. If SSH version 1 is still in use, it is recommended that it be upgraded to 1.2.32 or replaced with OpenSSH as's SSH version 1 is no longer being maintained.


There is a format string vulnerability in RWhoisd that can be exploited to execute arbitrary code with the permissions of the user running RWhoisd. Under some circumstances, the permissions of the user running RWhoisd can be leveraged into root access.

ARIN Engineering has released a patch for RWhoisd and recommends that users apply it as soon as possible.

Red Hat Printing System

Under Red Hat Linux, the postscript interpreter Ghostscript can be used to read arbitrary files on the system with the permissions of the printer daemon. The problem exists even when the -dSAFER flag is used. This problem affects Red Hat Linux versions 5.2, 6.2, 6.2J, 7.0, 7.0J, and 7.1.

Red Hat recommends that users apply the appropriate update for their system. On systems that do not use the printing subsystem, users should consider disabling it.

Solaris ufsrestore

Sun has reported that the Solaris ufsrestore utility has a buffer overflow in the pathname parameter of the extract command that can be exploited to gain root permissions. Sun has reported that Solaris versions 2.5, 2.5.1, 2.6, 7, and some versions of 8 are vulnerable, but that Solaris 8 04/01, Solaris 8 Maintenance Update 4, and later releases are not vulnerable.

Sun recommends that affected users apply the appropriate patch as soon as possible. The set user id bit should be removed from ufsrestore until it has been patched.

Linux iptables

The MAC iptables module allows firewall rules to be configured using a machine's ethernet hardware address in filter rules. A flaw in the MAC module fails to correctly match packets that are very small. This can be used by a malicious user to bypass firewall rules and, in some cases, may be used to bypass an application being restricted to specified MAC addresses.

Affected users can upgrade to the latest version of iptables and configure additional rules to match the small packets using the "length" module.

Red Hat Linux mod_auth_pgsql

The mod_auth_pgsql package that shipped with Red Hat Linux 7.2 has a vulnerability that can be used by an attacker to execute arbitrary SQL commands, and there is a bug in the MDF password code that can prevent valid passwords from being authenticated.

Red Hat has released a new mod_auth_pgsql package that fixes both problems and recommends that users upgrade.

Java Runtime Environment

Under some conditions, there is a flaw in the Java Runtime Environment that can be used by an untrusted applet to access the system clipboard. Sun has reported that Netscape 6 is vulnerable if Java Runtime Environment versions 1.3.0_02 or 1.3.0_01 are used. They have also reported that the following are vulnerable: Windows DSK and JRE versions 1.3.0_02 and earlier, 1.2.2_007 and earlier, 1.2.1, and 1.2; Solaris Reference releases SDK and JRE versions 1.2.2_007 and earlier, 1.2.1, and 1.2; Solaris Production releases 1.3.0_02 and earlier, 1.2.2._07 and earlier, 1.2.1, and 1.2; and Linux Production Releases 1.3.0_02 and earlier and 1.2.2_007 and earlier.

Sun recommends that users upgrade to version 1.3.1 of the Java 2 SDK.


The Oracle binary has a vulnerability that can be exploited by a local attacker to overwrite arbitrary files on the system with a trace file. This problem affects all Oracle database server releases on Unix platforms.

Oracle recommends that users make the Oracle binary only executable by the Oracle user and dba group. If this is done, remote users will be required to use the IPC driver that connects to the TNS listener. This listener must be started by a user that can execute the Oracle binary. Oracle plans to fix this vulnerability only in Oracle9i release 2.

Solaris Xlock

It has been announced that the patch for Xlock under Solaris 2.6 has been released by Sun.

Oracle Trace Collection

The Oracle utilities otrccol, otrccref, otrcfmt, and otrcrep contain a buffer overflow in the code that handles the ORACLE_HOME environmental variable. These buffer overflows can be exploited to execute arbitrary code with the permissions of the Oracle user and the dba group.

Oracle recommends that the set user id bits be removed from the otrccol, otrccref, otrcfmt, and otrcrep utilities and that the Oracle Trace be disabled by setting its control parameter in init<SID>.ora (oracle_trace_enable=FALSE). Oracle is only planning to fix these buffer overflows in Oracle9i, Release 2.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: