Linux vendors have been hit by two fresh security bugs, affecting a widely used graphics decoder and the Gaim instant-messaging client.
Separately, Red Hat Inc., the biggest Linux developer, said attackers have begun targeting Red Hat users with an email-based scam similar to methods commonly used to target Windows.
The flaws in Gaim and libtiff, used by many Linux graphics programs to decode tiff images, follow a series of serious bugs patched last week. The earlier flaws affected Linux’s libpng, Xpdf and Cups components.
Researcher Chris Evans uncovered a series of boundary errors affecting the RLE-decoding components of libtiff, which could be exploited to cause heap-based buffer overflows. A malicious user could exploit these flaws by tricking a user into viewing a maliciously crafted tiff image with an application that uses libtiff, researchers said; such an image could crash the application and execute malicious code on the user’s computer.
Evans said the specific flaws he publicized are likely to be only the tip of the iceberg. “Unfortunately, due to the size of libtiff, only a limited scan for flaws was possible. These flaws are likely to typify others present,” he said in an advisory.
A second flaw in libtiff, a division-by-zero bug discovered by Matthias Claasen, could crash libtiff-linked applications. Finally, auditing by Dmitry Levin uncovered integer overflows which could also be used to execute arbitrary code on a user’s PC, according to an advisory from Danish security firm Secunia.
Novell Inc.’s Suse Linux AG and Red Hat issued advisories on the libtiff flaw late last week, along with patches for the component.
The bug in Gaim, also publicized last week, can be exploited by sending a specially crafted message using the MSN SLP protocol. A boundary error within the handling of such messages can be exploited to cause a buffer overflow, crash the application and execute arbitrary code, Secunia said.
MandrakeSoft SA said bugs affecting version 0.75 of Gaim, which ships with Mandrake Linux 10.0, included the way the application handles smiley themes and very long URLs. Both bugs could allow malicious code execution, MandrakeSoft said. MandrakeSoft, Gentoo, Red Hat, Slackware and others are issuing patches for Gaim.
The Gaim client is widely used on Linux systems to simulate third-party instant messaging clients such as those from Yahoo Inc., America Online Inc. and Microsoft Corp.
Red Hat said on Saturday that users have been targeted by an authentic-looking security notification message which attempts to trick users into downloading and executing malicious code.
“These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code,” Red Hat said in a warning posted on the front page of its security site. The company urged users to ensure that any security updates appearing to come from Red Hat are safe by validating the messages’ digital signature.
The message was made more authentic-looking by the use of a seemingly official Website, fedora-redhat.com — which was unavailable as of Monday morning. Before the site disappeared, it contained a message urging users to apply a “critical-critical” update.
“Red Hat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges,” the site said. “The Red Hat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update.”
Windows users are frequently bombarded by authentic-seeming malicious messages appearing to come from Microsoft, but the technique is a novelty for Linux. Until recently, Linux was rarely used as a desktop platform, but has now gained some ground and, by some counts, is more widely used on the desktop than the Mac OS.