SuSE Security Announcement: at (SuSE-SA:2002:003)
-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: at Announcement-ID: SuSE-SA:2002:003 Date: Wednesday, Jan 16th 2001 16:00 MET Affected SuSE versions: 6.4, 7.0, 7.1, 7.2, 7.3 Vulnerability Type: local privilege escalation Severity (1-10): 5 SuSE default package: yes Other affected systems: most Linux systems with the at package installed Content of this advisory: 1) security vulnerability resolved: at problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The 'at' command reads commands from standard input for execution at a later time specified on the command line. If such an execution time is given in a carefully drafted (but wrong) format, the at command may crash as a result of a surplus call to free(). The cause of the crash is a heap corruption that is exploitable under certain circumstances since the /usr/bin/at command is installed setuid root. A temporary workaround against the bug is to disable the at command for non-root users by removing the setuid-bit from the /usr/bin/at command. As a permanent solution it is recommended to install the update packages as listed for download below. In addition to the fixed heap corruption, file handling security has been improved by adding the O_EXCL (exclusive) option to an open(2) system call inside the at(1) code. We thank zen-parse for reporting this vulnerability. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap1/at-3.1.8-459.i386.rpm db3d2bd38f81667dcece38d1c4a86725 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/at-3.1.8-459.src.rpm 82701057fc8ea3217800b0ab1e2e544b SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap1/at-3.1.8-458.i386.rpm 91b759e6a8d433273c5567ed26735690 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/at-3.1.8-458.src.rpm 3df6d6d708d4ef90515f6f1fbbdea5bf SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/a1/at-3.1.8-458.i386.rpm 73eb22d5c958c17e264fd31ec339b763 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/at-3.1.8-458.src.rpm 1303a1328f31313a62f5645f7cb476ef SuSE-7.0 ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/at-3.1.8-459.i386.rpm 3179e64f87371d7864d1956ceb9bd020 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/at-3.1.8-459.src.rpm 67efafe83908ac53fc54acac9a0f056b SuSE-6.4 ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/at-3.1.8-458.i386.rpm aaffed7c302b9ec42885087296c6f0a1 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/at-3.1.8-458.src.rpm 374cf4374fbe1e66ab2e685aa0449034 Sparc Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap1/at-3.1.8-356.sparc.rpm ec76d45245ef917e22f5f1a863a89988 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/at-3.1.8-356.src.rpm 40de9490a06bd294ad6a7f90e682c0cd SuSE-7.1 ftp://ftp.suse.com/pub/suse/sparc/update/7.1/a1/at-3.1.8-356.sparc.rpm 27f575762c0b1643008968a167324347 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/at-3.1.8-356.src.rpm 66546dc729e071039595a13d01feacfb SuSE-7.0 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/at-3.1.8-357.sparc.rpm 98007292769f55e4239b6922157bfa13 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/at-3.1.8-357.src.rpm 2d20cdbb10680282596677aac3106f30 AXP Alpha Platform: SuSE-7.1 ftp://ftp.suse.com/pub/suse/axp/update/7.1/a1/at-3.1.8-360.alpha.rpm df71ebf25a2252637ee1421d08779b8d source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/at-3.1.8-360.src.rpm b8b3a4f80e0d19e0211131ca58c1e0fe SuSE-7.0 ftp://ftp.suse.com/pub/suse/axp/update/7.0/a1/at-3.1.8-361.alpha.rpm 0bc21b9ddc12746a17592fa74473bbf6 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/at-3.1.8-361.src.rpm 4d93aa10b426224936e3de357540ea49 SuSE-6.4 ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/at-3.1.8-361.alpha.rpm aeb76c2eb37f7e442c49c7ba3c5e44a5 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/at-3.1.8-361.src.rpm 6d783c34eb0b855a96736e58d67bc053 PPC Power PC Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap1/at-3.1.8-363.ppc.rpm 111bd6e813ef33265035b21d19776b49 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/at-3.1.8-363.src.rpm fa2ee9aca5b73009b1d9c90731265a19 SuSE-7.1 ftp://ftp.suse.com/pub/suse/ppc/update/7.1/a1/at-3.1.8-362.ppc.rpm 868a1662f751823432d3d881edd371cd source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/at-3.1.8-362.src.rpm d759233bfc2ce230e1c46d2ec0f15a73 SuSE-7.0 ftp://ftp.suse.com/pub/suse/ppc/update/7.0/a1/at-3.1.8-362.ppc.rpm 7b12fe4b5f31434eb7cf3c0caae75811 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/at-3.1.8-362.src.rpm 4c6e2724bb76e08be66831ed85c60f85 SuSE-6.4 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/at-3.1.8-362.ppc.rpm 7ebc9a1fde97f5ac8226b9e17621a40b source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/at-3.1.8-362.src.rpm fa3c5e08703eb54b4f493de56ec837bb ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Linux Distributions and Workarounds: - clanlib dotslash@snosoft.com reported an environment variable copying buffer overflow in the clanlib package. If a program that is linked against the clanlib shared library is installed setuid or setgid, this error may lead to elevated privileges. In the case of SuSE Linux distributions, this is only the case for the methane package: It comes installed with a setgid bit to group "game", which is used to store highscores in group- writeable files. This setgid bit will be cleared in future releases of the SuSE Linux distribution. For already installed "methane" packages, we recommend to remove the setgid bit with the command chmod -s /usr/X11R6/bin/methane The methane package is not installed on SuSE systems by default, nor is the defective library "clanlib". - thttpd The thttpd daemon contained several off-by-one overflows. Due to internal organization of the variables affected by these overflows, they seem not exploitable. However, these bugs have been fixed. Please update to the newest thttpd packages. - pine The popular mail client "pine" was found vulnerable to an attack where shell metacharacters inside an URL could be used to execute arbitrary commands if pine passes the URL to an external viewer on the commandline. The pine packages on SuSE products are not vulnerable to this weakness because they contain a patch that works around this problem since it is not new. - xchat We are working on updates for the xchat packages in the SuSE Linux 7.0 and 7.1 distributions that are vulnerable to an encoding bug while receiving and decoding ctcp datagrams. This bug can lead an xchat IRC client to execute IRC protocol specific commands to an IRC server such as channel mode changes. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the toplevel directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe@suse.com>. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe@suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively. ===================================================================== SuSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the cleartext signature shows proof of the authenticity of the text. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohc BBMRAgAcBQI57vSBBQkDwmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8s AJ98BgD40zw0GHJHIf6dNfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQ EQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACe OO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vf iUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEI SZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9g TPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23p QUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1y PqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IX SzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd9DYJ8UUT mIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Via5/gO7fJ EpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13CNZZNZfD qnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp271hhQBe RmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlEt5ucTXst Zy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMGB/9g+9V3 ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZwrbSTM5Lp C/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6TtIJlGG6pq UN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFLrWn7mfoG x6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5HRKMWpO+M 9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMag8zFbpeq PQUsDv9V7CAJ1dbriEwEGBECAAwFAjnu9JIFCQPCZwAACgkQqE7a6JyACspLIgCb BQd/++0pB9yZWDhqxHtTpdCXRsAAnik7bYHlTxQfohiXYsEJcWrDn7l8 =ojbD - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBPEWe7Hey5gA9JdPZAQGPCwf/QrDn2sd0oKT6gehLPdCxZqH7qluObAUV Kzkb0dLx47O6LeiX/TEo7ssx30Y2boLyGG6X1Hy/jlHk9+Lx864AW/9EHX+kXmJg iiRMfNoWTswZU4gqZWyemW/pRYVN7U62LhKbe/m7GVy3JpxPCDZZQi4oGLIN114K p50J86r2GoGEKeQfQi+cShndfohuaS1KA0U1H5O2gODrEsuGcXUfNyYq8MraS1qF knWzC+5FZZMAyoJ5Jr4AhYttrtuRoyRfS6z0gJkqeC0s+dUhNEEV/auGckuo2k4T A4F39QxnxlB220iItOedJPhj+dSgfe8IrJx2t4z2uNoXuqkIaSCnlA== =GPsQ -----END PGP SIGNATURE-----
participants (1)
-
Roman Drahtmueller