oreilly.comSafari Books Online.Conferences.


Security Alerts Problems Aplenty

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in XFree86, Stunnel, Exim, wu-ftpd, pam_smb, gdm2, pam_ldap, whois, the atari800 emulator, Horde, MPlayer, and Node.


XFree86 4.3.0 is reported to be vulnerable to several bugs in the font libraries that could, under some conditions, be exploitable to gain root permissions.

The current CVS version of XFree86 is reported to be repaired. Users should verify that their installations of xfs and Xserver do not have untrusted servers in their font search path.


It has been reported that Stunnel is vulnerable to an attack caused by a leaked file descriptor that can be exploited to hijack Stunnel. Once Stunnel has been hijacked, the attacker can record information sent by other users by pretending to be the services to which the user is attempting to connect. They could also redirect the user's connection to other machines. A program to automate the exploitation of this vulnerability has been released to the public.

It is highly recommended that users of Stunnel upgrade to version 3.26 or 4.04 as soon as possible. Upgrading will also repair a denial-of-service-attack vulnerability in Stunnel.

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes


Exim, a mail transfer agent developed by the University of Cambridge, is reported to be vulnerable to a buffer overflow in the code that handles the HELO or EHLO portion of the SMTP dialog that may, under some conditions, be exploitable by a remote attacker.

Patches have been released, and users are encouraged to upgrade as soon as possible. Debian has released repaired Exim packages, and users should note that Exim is the default MTA in Debian.


The wu-ftpd FTP server is reported to be vulnerable to an attack that uses a wu-ftpd feature that creates a archive file for the user to download. When this feature is used, the file names are passed directly to tar as command-line arguments. An attacker can carefully create file names that will be interpreted as command-line arguments when tar is executed. This would result in arbitrary commands being executed with the permissions of the user ID under which wu-ftpd is running.


The PAM module pam_smb provides a Linux user the ability to log in by checking his or her password with an NT server. pam_smb has a buffer overflow that can be exploited, with a long password string, by a remote attacker to gain access to the server.

Affected users should watch their vendors for an updated package that repairs this problem. SuSE and Debian are reported to have released a repaired pam_smb package.


gdm2 is the GNOME 2 version of the xdm display manager. gdm2 is reported to be vulnerable to a symbolic-link race condition attack that can be used to read any file on the system by linking to it from the ~/.xsession-errors file.

Users should watch for a repaired version of gdm2 to be released.


Systems that use pam_filter for host-access restrictions in conjunction with pam_ldap can, under some conditions, allow users from any host to log in to their accounts.

This bug is reported to have been repaired in pam_ldap 162. Affected users (those using ldap for authentication along with host restrictions) should upgrade to a repaired package from their vendors as soon as possible.


The whois tool distributed with SuSE Linux, and perhaps other Unixes, is vulnerable to several buffer overflows in the code that handles its command-line arguments. This problem is not generally exploitable, but would be a problem in any configuration that allows remote users to execute whois with arbitrary command-line arguments. For example, when whois is run inside of a CGI script, a remote attacker could use it to execute arbitrary commands on the system.

It is recommended that affected users watch their vendors for updated packages, and consider disabling any CGI script or other method that would allow an untrusted remote user to execute whois with arbitrary command-line arguments.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble


The emulator atari800 is vulnerable to a buffer overflow that, if the emulator is installed with a set user id root bit, can be used by a local attacker to gain root permissions.

Affected users should remove the set user id bit from the atari800 emulator until it has been repaired.


A flaw in the web-based Horde email client can be exploited to hijack user sessions and gain control over the user's mail for a period of up to 20 minutes per successful attack. If the attacker can get a Horde user to connect to a remote web site from a link in an email message or a cross-site-scripting-style attack, the attacker can record the referring page information and hijack the users email account. The attacker will have access to the email account for the remaining length of the user's session, which is reported to be up to 20 minutes.

It is recommended that users upgrade to horde-2.2.4_rc2 or newer as soon as possible.


MPlayer is a movie player for Linux and other Unixes that supports MPEG, VOB, AVI, OGG/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM, NuppelVideo, YUV4MPEG, FILM, RoQ, and more. MPlayer is vulnerable to a buffer overflow that may, under some circumstances, be used to execute arbitrary code. Versions v0.91 and earlier of MPlayer are reported to be vulnerable.

Users should upgrade to the latest version of MPlayer and should ensure that it is not installed with set user or group id bits.


Node, an Amateur Packet Radio program, is vulnerable to a buffer overflow that can be exploited by a remote attacker to execute arbitrary code with root permissions.

Affected users should watch for a repaired version.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: