Linux/Unix e-mail flaw leaves system wide open (Users of ELM, and Mplayer)

TechWorld.com ^ | 2005-08-27 | Matthew Broersma

[N3WBI3]

Linux/Unix e-mail flaw leaves system wide open

By Matthew Broersma, Techworld

Two serious security flaws have turned up in software widely distributed with Linux and Unix. The bugs affect Elm (Electronic Mail for Unix), a venerable e-mail client still used by many Linux and Unix sysadmins, and Mplayer, a cross-platform movie player that is one of the most popular of its kind on Linux.

The Elm flaw involves a boundary error when the client reads an e-mail's "Expires" header. A specially crafted e-mail could exploit the bug to cause a buffer overflow and execute malicious code on a system, according to security researchers.

Adding to the flaw's potential impact, exploit code has begun circulating on the Internet, according to FrSIRT, the French Security Incident Response Team, which published sample code on its site.

The flaw affects Elm version 2.5 PL7 and earlier, and has been fixed in a new update, version 2.5 PL8. A patched version is available via Elm-related websites, or from operating system vendors such as Red Hat.

Elm is one of the oldest email clients for Unix-like operating systems (including Linux), having gained popularity in the early 1990s. The application is a predecessor of such command-line e-mail clients as Mutt and Pine. Its users tend to be experienced Unix hands - the kind who run large, important systems, according to industry observers.

Red Hat, FrSIRT and advisory aggregator Secunia all gave the Elm flaw a highly critical rating.

The bug in Mplayer is the latest media-player bug to plague sysadmins. Widely used desktop applications such as media players are more difficult to patch than server-side bugs, because there are many times more copies in use, often without the knowledge of IT managers.

The flaw affects Mplayer versions 1.0pre7 and earlier, and hasn't been patched, according to an advisory from FrSIRT.

The flaw allows attackers to execute malicious code via a specially crafted media file, according to Sven Tantau, who discovered the flaw. The exploit is triggered by a specially crafted "strf" value in an audio header, and results in a buffer overflow, Tantau said in an advisory.

[N3WBI3]

I have not seen a box that uses elm in quite some time (1995 I think) and any sysdamin who has permissions setup so people can install mplayer needs a big smack in the head with a huge foam LART but still for home users and people that for some reason still use a mail client older than windows95 get your systems patched..

[N3WBI3]

OSS PING

If you are interested in the OSS ping list please mail me

[frogjerk]

I have not seen a box that uses elm in quite some time (1995 I think)

I was going to say the same thing. Who in the hell uses ELM?

In other news, a new security hole was found in DOS 4.0. with hard disk partitions over 32 MB.

[so_real]

I *loved* "elm" ... until someone introduced me to "pine" :-)

[N3WBI3]

I was going to say the same thing. Who in the hell uses ELM?

Well aparently someone does, RedHat still puts in on their distro, and the code base still seems to be alive for it.. Like you I dont know why?

[N3WBI3]

I loved pine until someone introduced me to mutt..

[general_re]

Yeah, nobody uses it now, but it was widely used for what, almost 15 years, with the sources readily available. So where's the "many eyes/shallow bugs" theory now?

Although it's hardly a serious problem now, this really goes to confirm my suspicion that the security benefits of open-source software are in many cases - not all, but many - largely theoretical. I think the reality is that, in most cases, very few people beyond the actual author bother to read/audit the code for the open-source software they use.

[N3WBI3]

Yeah, nobody uses it now, but it was widely used for what, almost 15 years. So where's the "many eyes/shallow bugs" theory now?

Many eyes caught this, this was found within the community.. A community that was not as big in the early to mid 1990's as it is now..

Although it's hardly a serious problem now, this really goes to confirm my suspicion that the security benefits of open-source software are in many cases - not all, but many - largely theoretical.

The turnaround time on bugs in the OSS community is huge. And consider you talking about elm an email client almost nobody uses. If we got a notification about every vulnerability in the closed source world I think you would see OSS stacks up quite nicely.

I think the reality is that, in most cases, very few people beyond the actual author bother to read/audit the code for the open-source software they use.

Heres the think, most projects have more than one author if OSS code is written in a UNIX like philosophy and is useful it quickly develops a large development community that will survive the loss of the initial author..

[general_re]

Many eyes caught this, this was found within the community.

And it only took them two decades to track it down. C'mon, let's be honest for a minute - that bug has been there for years, including the entire time people were actually using elm, and nobody caught it. Yes, it's not as big now, but back when it was big, this bug was undetected, and remained undetected, despite the fact that the source has been available from the beginning.

The turnaround time on bugs in the OSS community is huge.

I think not - I do not think that it is possible to make such a sweeping judgement about the "community". I think that, within that community, the turnaround time for large, high-profile projects - the Linux kernel, Mozilla, a few others perhaps - is quite decent. I also think that for every project like that, there are a hundred smaller, less high-profile projects within the comunity, that are basically operating in obscurity, and where the code is not usually given a serious examination by anyone other than the authors. And not to put too fine of a point on it, but it doesn't matter at all how fast bugs get fixed in the kernel if they hang around forever in elm, or sendmail, or the finger daemon, or whatever - the success of one does not obviate the failure of the other.

Heres the think, most projects have more than one author if OSS code is written in a UNIX like philosophy and is useful it quickly develops a large development community that will survive the loss of the initial author..

Okay, great. So when the original author gets hit by a crosstown bus, at that point someone else will start looking at the code. Why don't I find that comforting? ;)

[softwarecreator]

Linux/Unix e-mail flaw leaves system wide open

Can't be true, according to the zeolots Linux has no security flaws!

Hahaha ... I'm kidding of course, couldn't resist.  =)

Thanks for the alert.  Luckily I don't use Linux for my eMail.

[so_real]

echo "mutt is great for scripting" | mutt -s "mutt works too :-)" N3WBI3

[N3WBI3]

If only pipes were bidirectional I could replace fetch mail with three lines of shell script and mutt... *sigh*

[ShadowAce]

Luckily I don't use Linux for my eMail.

That's all right--nobody uses elm anymore anyway. I use mutt or Thunderbird.

[xmm0]

Hehe, I tried them all back in the day. Then I decided on one I really liked, 'mail'. Yep, the standard mail client did all my dirty work until I discovered X Windows in 2001 (actually, got a machine capable of running it). Now I use T-Bird. ;P

[postaldave]

i think this same flaw effects win95 too.

[Bush2000]

And it only took them two decades to track it down. C'mon, let's be honest for a minute - that bug has been there for years, including the entire time people were actually using elm, and nobody caught it. Yes, it's not as big now, but back when it was big, this bug was undetected, and remained undetected, despite the fact that the source has been available from the beginning.

You hit the nail on the head. Just because many eyes can look at source code doesn't mean that they are -- or that anyone would find security bugs, even if they are looking...