Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

KWord Trouble

by Noel Davis
10/20/2005

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in KWord, SPE under Gentoo, wget, Brightstore, eTrust, Unicenter, OpenSSL, XMail, uw-imap, weex, tcpdump, graphviz, up-imapproxy, xloadimage and xli, and Ruby.

KWord

The word processor KWord, distributed with KDE's Koffice suite, is vulnerable to a buffer-overflow-based attack when the victim opens a carefully crafted RTF file. Opening this RTF-formatted file would cause arbitrary code to be executed with the permissions of the victim.

All users of KWord should avoid opening RTF-formatted files from untrusted sources until they have updated KWord. Packages have been released for Mandriva Linux 10.2 and 2006.0, Ubuntu 5.04, and Gentoo Linux.

SPE under Gentoo

SPE, a multi-platform integrated development environment for Python, was accidentally configured under Gentoo Linux with all of its files world-writable. With the file permissions set to world-writable, a local attacker can replace SPE's binary files with new executables. When the victim starts SPE, these new executable files would execute arbitrary code with the victim's permissions.

Affected users should upgrade as soon as possible to a repaired SPE package. Repaired packages have been released for Mandriva Linux and Ubuntu 4.10, 5.04, and 5.10.

wget

wget is a command-line utility used to retrieve files using the HTTP, HTTPS, and FTP protocols. Some versions of wget are reported to be vulnerable to a buffer overflow when connecting to a remote server using NTLM authentication. This vulnerability is reported to affect some versions of wget earlier than version 1.10.2.

Affected users should watch their vendors for a repaired version of wget or upgrade to version 1.10.2.

BrightStor, eTrust, and Unicenter

The Computer Associates iGateway component is distributed with multiple product lines, including BrightStor, eTrust, and Unicenter. If the iGateway component is configured in diagnostic tracing mode, it is vulnerable to a buffer overflow that may result in a denial of service or the execution of arbitrary code. Versions of iGateway earlier than version 4.0.050615 are reported to be vulnerable.

All users of affected CA products should ensure that the iGateway component is not running in diagnostic debug tracing mode by setting the "<Debug>" parameter to false in the igateway.conf file. It is recommended that users then upgrade to version 4.0.050615 or newer.

OpenSSL

Under some conditions, OpenSSL may be vulnerable to a man-in-the-middle attack that would cause the client and the server to fall back to the insecure version SSL 2.0 protocol. The SSL 2.0 protocol is known to have cryptographic weaknesses that may be exploitable to recover plain-text information from the encrypted date. The OpenSSL library implements the Secure Sockets Layer, Transport Layer Security protocols, and general-purpose cryptography functions.

New OpenSSL packages have been released for Ubuntu Linux versions 4.10, 5.04, and 5.10. Users of other distributions should watch their vendors for an updated package.

XMail

XMail, an email server available for multiple Unix-based architectures and Microsoft Windows, is reported to contain a buffer overflow in code contained in the AddressFromAtPtr() function that may be exploited by a local attacker and may result in arbitrary code being executed with root permissions. The report specifies that the vulnerability was found in version 1.21 of XMail.

Xmail should be upgraded to version 1.22 as soon as possible.

uw-imap

uw-imap is an IMAP mail server distributed by the University of Washington. A buffer overflow in the function mail_valid_net_parse_work() in uw-imap may be exploitable by a remote but authenticated attacker and could result in arbitrary code being executed with the authenticated attacker's permissions.

It is recommended that all users of uw-imap upgrade to version imap-2004g.

tcpdump

The network sniffer tcpdump is reported to be vulnerable to a denial-of-service attack due to a bug in the code tcpdump uses to handle RT_ROUTING_INFO information inside of a BGP packet. A remote attacker could cause tcpdump to go into a loop by sending a carefully constructed BGP packet.

Affected users should watch for a repaired version of tcpdump from their vendors.

weex

weex is reported to be vulnerable to a format-string-based vulnerability that could be exploitable to execute arbitrary code with the victim's permissions. weex is a non-interactive FTP client.

Affected users should watch their vendors for a repaired version of weex.

graphviz

graphviz, a set of open source graph visualization tools, is vulnerable to a temporary-file, symbolic-link race condition that may be abused to overwrite arbitrary files on the system with the victim's permissions.

Debian has released a repaired version of graphviz. Users of other distributions should watch their vendors for updated graphviz packages.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

XFree86 Trouble

MySQL Trouble

Problems in PCRE, the Linux Kernel, and SILC

up-imapproxy

up-imapproxy is a proxy server for the IMAP protocol. It has been reported to be vulnerable to two format-string-based vulnerabilities that each may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user account running up-imapproxy.

Users should watch for a repaired version. Debian has released a repaired package.

xloadimage and xli

Both the xloadimage and xli image utilities are vulnerable to buffer overflows that may be exploitable by a local attacker and result in arbitrary code being executed.

Affected users should watch their vendors for repaired versions.

Ruby

Ruby, an object-oriented scripting language, has a facility to execute untrusted code by either setting a taint flag on an object or by running at a safe level. A vulnerability has been discovered that can be exploited by an attacker to bypass both the safe level and the taint flag.

All Ruby users should upgrade to version 1.8.3 or newer.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Security and Usability

Related Reading

Security and Usability
Designing Secure Systems that People Can Use
By Lorrie Faith Cranor, Simson Garfinkel

Read more Security Alerts columns.

Return to LinuxDevCenter.com

Copyright © 2009 O'Reilly Media, Inc.