Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in the Linux
dchp3, the Blade encoder, WebSphere Advanced Server,
chpass, Red Hat Linux 8.0's
w3m, Window Maker, and HPUX's
- Linux Kernel Problems
- Kerberos Vulnerabilities
- DHCP 3 Server Packet Storm
- Blade Encoder
- WebSphere Advanced Server
- OpenBSD chpass, chfn, and chsh
- Red Hat Linux 8.0's kernel-utils Package
- Window Maker
- HPUX wall
Linux Kernel Problems
The 2.4.10 through 2.4.18 Linux kernels have a problem with the
O_DIRECT feature that can be exploited, under some conditions, by a
local attacker to corrupt a file system and read data from deleted
files. In addition, several Ethernet drivers have a vulnerability that
can be exploited to read pieces of kernel memory and data from
It is recommended that affected users upgrade to the 2.4.19 Linux kernel and watch their vendor for updated Ethernet drivers. Updated packages have been released for Mandrake Linux and Red Hat Linux.
Kerberos is a network authentication protocol. Several vulnerabilities have been reported in MIT Kerberos. They include a problem in the FTP client, a denial of service caused by a null pointer, a vulnerability that can allow a user, under some conditions (inter-realm authentication is enabled and other server's principal names are in critical ACLs), to impersonate another user, a bounds checking problem that can be exploited in a denial-of-service attack, and a format string vulnerability.
The Kerberos FTP client contains a vulnerability that can be exploited
by a malicious FTP server to execute arbitrary commands on a client's
machine or to write to arbitrary files on the user's system. This
vulnerability occurs when the FTP server sends a file name to the
client that begins with the pipe ("|") character. This will cause the FTP
client to pass the filename to a
MIT recommends that users upgrade to MIT Kerberos 1.2.7 or newer as soon as possible.
DHCP 3 Server Packet Storm
dhcrelay component of the
dhcp3 server can be manipulated by a
remote attacker into creating a large number of
BOOTP request packets
to other DHCP servers, potentially causing a denial-of-service
condition or degrading network performance.
Affected users should watch their vendor for repaired
Debian has released new packages that repair this problem.
The Blade MP3 encoder
bladeenc has a vulnerability that can be used to
execute arbitrary code on a user's machine when
bladeenc is used to
encode a carefully-crafted .wav file.
Users should watch their vendor for a repaired version of
WebSphere Advanced Server
The WebSphere XML configuration export file contains password information that can be trivially decoded and used to access keying material and data sources. The passwords are obfuscated with a simple algorithm and Base64Encoded. WebServer Advanced Server 4.0.4 is reported to be affected by this problem.
The export file should be created in a directory that can only be accessed by authorized users, and users should remove unneeded export files.
Under some conditions, a remote user can cause SpamAssasin to execute
arbitrary code by sending a specially-crafted email message.
SpamAssasin versions 2.40 through 2.43 are affected when the
utility is configured to use
BSMTP mode (i.e., using the
Affected users should watch their vendor for an update, and should
consider disabling SpamAssasin until it has been repaired or
configuring it to not use
BSMTP mode. Gentoo Linux has released an
updated package that repairs this vulnerability.
The OpenBSD set user id root utility
chsh are hard-linked to
chpass) can be manipulated, under some circumstances, by a
local attacker to view part of the contents of any file.
The circumstances required to usefully exploit this problem make it unlikely that an attacker would gain any benefit from doing so. This problem has been fixed in OpenBSD-current and a patch has been made available.
Red Hat Linux 8.0's
kernel-utils package that is distributed with Red Hat Linux 8.0
contains the utility
uml_net that is incorrectly set user id root and
as a consequence, can be abused by normal users to gain control of
uml_net is part of user mode Linux (UML).
Users should remove the set user id bit from
uml_net with the command
chmod -s /usr/bin/uml_net or should upgrade the
to a version in which
uml_net is not installed set user id root.
w3m, a pager- and text-based web browser, can be manipulated by an
attacker to insert arbitrary HTML and scripts into frames and image
attributes. This vulnerability can be used by the attacker to gain
access to a victim's local file system and to steal cookie information.
It is recommended that users upgrade to
w3m version 0.3.2.1 or newer
as soon as possible, or upgrade to repaired packages from their vendor.
The X Window window manager Window Maker is designed to look and feel similar to the NeXTSTEP graphical user interface. There is a buffer overflow in all versions of Window Maker through version 0.80.0 that can be exploited to execute arbitrary code with the permissions of the user running Window Maker. The buffer overflow is in code that handles the opening of an image file. One possible attack is to place a carefully-crafted image inside of a desktop theme package.
Users should watch for an updated package from their vendor. A repaired package has been released for Red Hat Linux.
wall command distributed with HPUX 11.11 is reported to be
vulnerable to a buffer overflow that may be exploitable to execute
arbitrary code with the permissions of the
Users should watch HP for an patch that repairs this problem.
Read more Security Alerts columns.
Return to the Linux DevCenter.