Linux Advisory Watch – August 27th 2004


Author: Preston St. Pierre

This week, advisories were
released for ruby, rsync, kdelibs, mysql, acroread, Tomcat, glibc, spamassassin,
qt3, ftpd, Netscape, the Linux kernel. The distributors include Debian, Fedora,
Gentoo, Mandrake, NetBSD, Red Hat, SuSE, and Trustix.

Using swatch for log analysis

With most services, when
anything slightly significant happens, a message about it is reported to syslogd.
The sooner the user is aware of the message, the sooner the user can take action
in regard to that message if it is needed. With 1000+ long log files, log checkers
are needed as time savers and to make sure an indication of trouble is not missed.

Swatch stands for Simple
WATCHer. Other log analysis software scans the logs periodically, they can tell
you what HAS happened. Swatch can do this, but it can also actively scan log
entries as syslogd gets them and tell you what IS happening. Not only this,
swatch can also take actions when it encounters certain log messages.


First, download the newest version of swatch. Then, run:

perl Makefile.PL
make test
make install
make realclean

After swatch is installed,
perl modules that are needed for use of swatch may also have to be downloaded.


Swatch uses regular expressions
to find lines of interest. Once swatch finds a line that matches a pattern,
it takes an action, such as printing it to the screen, emailing it, or taking
a user defined action.

watchfor /[dD]enied|/DEN.*ED/
echo bold
bell 3
exec "/etc/call_pager 5551234 08"

This is an example of a
section of a swatch configuration script. First, swatch looks for a line that
contains the word denied, Denied, or anything that starts with DEN and ends
with ED. Once it finds a line that contains one of the three search strings,
it echoes the line in bold into the terminal and makes the bell sound (^G) 3
times. Then, swatch emails the user that is running swatch (usually root) about
the line and executes the /etc/call_pager program with the given options. ignore
/sendmail/,/fax/,/unimportant stuff/ In this example, the search strings sendmail,
fax, and unimportant stuff are going to be ignored, even if they would normally
match one of the strings being looked for.


Using swatch is very simple.
For using swatch to check logs normally, run:

swatch --config-file=/home/chris/swatch.conf --examine=/var/log/messages

This is assuming that the
configuration file for swatch is located at /home/chris/swatch.conf and that
the file that is to be checked in called /var/log/messages. To use swatch as
a constantly running service that scans lines of a log file as they come in,

swatch --config-file=/home/chris/swatch.conf --tail-file=/var/log/messages


Security Tip Written
by Chris Parker (
Additional tips are available at the following URL:

Feature Extras:

Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code

– Gary McGraw is perhaps best known for his groundbreaking work on securing software,
having co-authored the classic Building Secure Software (Addison-Wesley, 2002).
More recently, he has co-written with Greg Hoglund a companion volume, Exploiting
Software, which details software security from the vantage point of the other
side, the attacker. He has graciously agreed to share some of his insights with
all of us at

Expert Dave Wreski Discusses Open Source Security
– Dave Wreski,
CEO of Guardian Digital, Inc. and respected author of various hardened security
and Linux publications, talks about how Guardian Digital is changing the face
of IT security today. Guardian Digital is perhaps best known for their hardened
Linux solution EnGarde Secure Linux, touted as the premier secure, open-source
platform for its comprehensive array of general purpose services, such as web,
FTP, email, DNS, IDS, routing, VPN, firewalling, and much more.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
] – [ Linux Security

Linux Advisory Watch is
a comprehensive newsletter that outlines the security vulnerabilities that have
been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.[

Distribution: Debian
  8/20/2004 ruby
file permissions

This can lead an attacker who has also shell access to the webserver to
take over a session.

  8/20/2004 rsync
path sanitation

The rsync developers have discoverd a security related problem in rsync
which offers an attacker to access files outside of the defined directory.

  8/20/2004 kdelibs
temporary file vulnerability

This can be abused by a local attacker to create or truncate arbitrary files
or to prevent KDE applications from functioning correctly.

  8/20/2004 mysql
temporary file vulnerability

Jeroen van Wolffelaar discovered an insecure temporary file vulnerability
in the mysqlhotcopy script when using the scp method which is part of the
mysql-server package.

Distribution: Fedora:
  8/20/2004 rsync
path sanitization

This update backports a security fix to a path-sanitizing flaw that affects
rsync when it is used in daemon mode without also using chroot.

Distribution: Gentoo
  8/20/2004 acroread
overflow vulnerabilities

Acroread contains two errors in the handling of UUEncoded filenames that
may lead to execution of arbitrary code or programs.

  8/20/2004 Tomcat

Improper file ownership may allow a member of the tomcat group to execute
scripts as root.

  8/20/2004 glibc
leak vulnerability

glibc contains an information leak vulnerability allowing the debugging
of SUID binaries.

  8/20/2004 rsync
path sanitation

This vulnerability could allow the listing of arbitrary files and allow
file overwriting outside module’s path on rsync server configurations that
allow uploading.

  8/20/2004 xine-lib
Buffer overflow vulnerability
path sanitation

An attacker may construct a carefully-crafted playlist file which will cause
xine-lib to execute arbitrary code with the permissions of the user.

  8/20/2004 courier-imap
Format string vulnerability
path sanitation

An attacker may be able to execute arbitrary code as the user running courier-imapd
(oftentimes root).

Distribution: Mandrake
  8/20/2004 rsync
path sanitation

If rsync is running in daemon mode, and not in a chrooted environment, it
is possible for a remote attacker to trick rsyncd into creating an absolute
pathname while sanitizing it.

  8/20/2004 spamassassin
of service vulnerability

Security fix prevents a denial of service attack open to certain malformed

  8/20/2004 qt3
    Heap overflow

his vulnerability could allow for the compromise of the account used to
view or browse malicious graphic files.

Distribution: NetBSD
  8/20/2004 ftpd
escalation vulnerability

A set of flaws in the ftpd source code can be used together to achieve root
access within an ftp session.

Distribution: Red
  8/20/2004 Netscape

Netscape Navigator and Netscape Communicator have been removed from the
Red Hat Enterprise Linux 2.1 CD-ROM distribution as part of Update 5. These
packages were based on Netscape 4.8, which is known to be vulnerable to
recent critical security issues, such as CAN-2004-0597, CAN-2004-0598, and

  8/20/2004 kernel
of service vulnerability

A bug in the SoundBlaster 16 code which did not properly handle certain
sample sizes has been fixed. This flaw could be used by local users to crash
a system.

Distribution: Suse
  8/20/2004 rsync
pathname sanitizing

If rsync is running in daemon-mode and without a chroot environment it is
possible for a remote attacker to trick rsyncd into creating an absolute
pathname while sanitizing it.

  8/20/2004 qt3
overflow vulnerability

Chris Evans found a heap overflow in the BMP image format parser which can
probably be abused by remote attackers to execute arbitrary code.

Distribution: Trustix
  8/20/2004 rsync
    Path escape

Please either enable chroot or upgrade to 2.6.1. People not running a daemon,
running a read-only daemon, or running a chrooted daemon are totally unaffected.