The e-mail, bearing the subject “RedHat: Buffer Overflow in ‘ls’ and ‘mkdir'” warns of a “critical-critical update” that could allow a remote attacker to execute arbitrary code with root privileges. It includes a link to a tar file housed on a personal account on Stanford University’s network. “The link points to a ‘compiled’ shell script that adds a root user and sends system info to an email address,” said Red Hat security director Mark Cox, who said the company worked with US-CERT and Stanford to get the link shut down.
Red Hat’s security team is reminding users to be mindful of its standard practices in issuing alerts and patches. “Official messages from the Red Hat security team are never sent unsolicited, are always sent from the address firstname.lastname@example.org, and are digitally signed by GPG,” the company said in on its web site. “All official updates for Red Hat products are digitally signed and should not be installed unless they are correctly signed and the signature is verified.”