Rapid7 Vulnerability & Exploit Database

RHSA-2003:309: Updated fileutils/coreutils package fix ls vulnerabilities

Back to Search

RHSA-2003:309: Updated fileutils/coreutils package fix ls vulnerabilities

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
11/17/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated fileutils and coreutils packages that close a potential denial of service vulnerability are now available.

The fileutils package contains several basic system utilities. One of these utilities is the "ls" program, which is used to list information about files and directories. In Red Hat Linux 9, the ls program is part of the coreutils package. Georgi Guninski discovered a memory starvation denial of service vulnerability in the ls program. It is possible to make ls allocate a huge amount of memory by specifying certain command line arguments. This vulnerability is remotely exploitable through services like wu-ftpd, which pass user arguments to ls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0854 to this issue. A non-exploitable integer overflow in ls has also been discovered. It is possible to make ls crash by specifying certain command line arguments. This vulnerability is remotely exploitable through services like wu-ftpd, which pass user arguments to ls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0853 to this issue. This erratum contains new fileutils packages for Red Hat Linux versions 7.1, 7.2, 7.3, and 8.0. It also contains new coreutils packages for Red Hat Linux 9. These packages contain backported patches correcting these vulnerabilities. The Red Hat Linux 7.2 and 7.3 packages also add support for the O_DIRECT flag, which controls the use of synchronous I/O on file systems such as OCFS.

Solution(s)

  • redhat-upgrade-coreutils
  • redhat-upgrade-fileutils

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;