Trilight Zone

[digital8]

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the TCP protocol, Midnight Commander (mc), proftpd, OpenOffice, libpng, rsync, LHA, Utempter, X-Chat, and sysklogd.


TCP
Midnight Commander
proftpd
OpenOffice
libpng
rsync
LHA
Utempter
X-Chat
sysklogd
TCP Protocol Vulnerability
Weaknesses have been found in the TCP protocol specification. RST or SYN packets from an attacker can (under some conditions) drop a TCP session; and an attacker can, in some cases, inject data into a TCP session.

Users should contact their vendors for details on how to mitigate or prevent these TCP protocol vulnerabilities.

Midnight Commander (mc)
Midnight Commander is reported to be vulnerable to multiple buffer overflows, multiple temporary-file, symbolic link race conditions, and a format string vulnerability.

Users should watch their vendors for a repaired version of Midnight Commander and should consider disabling Midnight Commander until it has been updated. Repaired packages have been released for Red Hat Linux 9; Debian GNU/Linux; and Mandrake Linux 10.0, 9.1, 9.2, and Corporate Server 2.1.

Linux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.

proftpd
Version 1.2.9 of the FTP daemon proftpd has a bug in the code that handles the Allow and Deny directives that can, under some conditions, allow clients to access files or directories to which should have been denied.

Affected users should downgrade or upgrade to a version of proftpd earlier or later than version 1.2.9, or watch their vendors for a repaired version. Repaired packages have been released for Mandrake Linux 10; Trustix Secure Linux 2.0 and 2.1, and Trustix Secure Enterprise Linux 2; and OpenPKG CURRENT and OpenPKG 2.0.

OpenOffice
OpenOffice has been reported to be vulnerable due to format-string bugs in the neon WabDAV client library that can, under some conditions, be exploited by a remote attacker to execute arbitrary code on the client with the permissions of the user running OpenOffice.

Users of OpenOffice should upgrade to a version that has been linked against the neon library with a version of 0.24.5 or newer. Red Hat has released a repaired package of OpenOffice for Red Hat Linux 9.

libpng
The libpng library contains functions used to create and manipulate PNG (Portable Network Graphics) image files. A carefully crafted PNG file can be created that will crash any application linked against libpng, due to a bug in a function that deals with error messages. This bug is not thought to be exploitable by an attacker to execute code, but under some conditions it can be used in a denial-of-service attack.

Users should watch their vendors for an updated package that repairs this bug. Packages have been released for Red Hat Linux 9; Debian GNU/Linux; Mandrake Linux 10.0, 9.1, 9.2, Corporate Server 2.1, and Multi Network Firewall 8.2; OpenPKG CURRENT, 2.0, and 1.3; and Trustix Secure Linux 2.0 and 2.1, and Trustix Secure Enterprise Linux 2.

Utempter
The Utempter utility is used by unprivileged applications to update the utmp and wtmp log files. A directory traversal bug has been discovered in Utempter that can be used by a local attacker to overwrite arbitrary files using a symbolic-link-based attack. As Utempter runs with root permissions, the files will be overwritten as if the attacker were root.

Any system with Utempter installed needs to have Utempter upgraded as soon as possible, to libutempter-1.1.1 or newer. Repaired versions of Utempter have been released for Slackware Linux 9.1 and Red Hat Linux 9.

Also in Security Alerts:

XFree86 Trouble

MySQL Trouble

Problems in PCRE, the Linux Kernel, and SILC

PHP Trouble

Apache Trouble

rsync
rsync, a faster and more flexible replacement for rcp that provides incremental file transfers, is reported to be vulnerable to an attack that, under some conditions, can be used by an attacker to write files outside of the expected path.

All users of rsync should upgrade to version 2.6.1 or newer as soon as possible. Packages containing a repaired and updated version of rsync have been released for Trustix Secure Linux 1.5, 2.0, and 2.1, and Trustix Secure Enterprise Linux 2.

LHA
LHA is a compression and archive-creation tool that uses the LHarc format. Buffer overflows and a directory traversal bug have been found in LHA that can potentially be used by a remote attacker to execute arbitrary code or write arbitrary files with the permissions of the user who opens a carefully crafted LHarc-format archive.

In most cases, users should not open any LHarc-formatted archives until they have upgraded LHA to a safe version.

X-Chat
X-Chat is an IRC (Internet Relay Chat) client that runs under the X Window System and can use the GTK+ toolkit or Gnome. A buffer overflow has been found in the X-Chat code that handles Socks-5 proxies. If a user connects to a proxy server controlled by an attacker, the attacker can exploit X-Chat to execute arbitrary code with the permissions of the user. The buffer overflow affects X-Chat versions 1.8.0 through 2.0.8 if the user connects through Socks-5 proxy server.

It is recommended that affected users should stop using untrusted Socks-5 proxy servers until they have either applied a patch available from XChat.org or upgraded X-Chat. Red Hat has released a repaired package for Red Hat Linux 9.

sysklogd
The sysklogd logging daemon contains a bug that can be used by an attacker to crash the daemon. This has only been reported as a denial-of-service type of attack, and it is not known if this vulnerability can be exploited to execute arbitrary code. The sysklogd package contains the syslogd and klogd daemons. The syslogd daemon is an improved version of the Berkeley syslogd daemon, and the klogd daemon handles kernel messages.

Every user of the sysklogd package should upgrade to a repaired version as soon as possible. Mandrake Linux has released a repaired version of the sysklogd package.