Sicherheit: Fehlerhafte Behandlung von Argumenten in uucp

Lesezeichen hinzufügen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
Caldera International, Inc. Security Advisory

Subject: Linux - uucp argument handling problems
Advisory number: CSSA-2001-033.0
Issue date: 2001, September 07
Cross reference:
______________________________________________________________________________

1. Problem Description

There is a argument handling problem which allows a local attacker to
gain access to the uucp group. Using this access the attacker could
use badly written scripts to gain access to the root account.

2. Vulnerable Versions

System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
uucp-1.06.2-8OL

OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder uucp-1.06.2-8OL

OpenLinux eDesktop 2.4 All packages previous to
uucp-1.06.2-8OL

OpenLinux Server 3.1 All packages previous to
uucp-1.06.2-8

OpenLinux Workstation 3.1 All packages previous to
uucp-1.06.2-8

3. Solution

Workaround

none

The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS

4.2 Verification

dd0f6e46374d62c349bf7a1f618a23a0 RPMS/uucp-1.06.2-8OL.i386.rpm
33b96ff362a261b87f73b2377fa20a5d RPMS/uucp-doc-1.06.2-8OL.i386.rpm
e602cfba314e2519e2762bfecac9024c SRPMS/uucp-1.06.2-8OL.src.rpm

4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh uucp-1.06.2-8OL.i386.rpm \
uucp-doc-1.06.2-8OL.i386.rpm

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

ee5c7f9bf1887d3c34f8c232b70a84b7 RPMS/uucp-1.06.2-8OL.i386.rpm
26f7f712e318c63a5deea1474a58e06f RPMS/uucp-doc-1.06.2-8OL.i386.rpm
e602cfba314e2519e2762bfecac9024c SRPMS/uucp-1.06.2-8OL.src.rpm

5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh uucp-1.06.2-8OL.i386.rpm \
uucp-doc-1.06.2-8OL.i386.rpm

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

1f00b87ce48e72d8a4bd754123d554d4 RPMS/uucp-1.06.2-8OL.i386.rpm
c00296b93945c8778c46252e975818d2 RPMS/uucp-doc-1.06.2-8OL.i386.rpm
e602cfba314e2519e2762bfecac9024c SRPMS/uucp-1.06.2-8OL.src.rpm

6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh uucp-1.06.2-8OL.i386.rpm \
uucp-doc-1.06.2-8OL.i386.rpm

7. OpenLinux 3.1 Server

7.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

7.2 Verification

4e3b47bc507d48bf9396e70c806d9a8e RPMS/uucp-1.06.2-8.i386.rpm
41cabb92a4eb86310d01c6a6b2f7453b RPMS/uucp-doc-html-1.06.2-8.i386.rpm
d06d2cd63b739895ebf82fa361266f16 RPMS/uucp-doc-ps-1.06.2-8.i386.rpm
6f3e6037bd3839380f9a4104e55a9a73 SRPMS/uucp-1.06.2-8.src.rpm

7.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh uucp-1.06.2-8.i386.rpm \
uucp-doc-html-1.06.2-8.i386.rpm \
uucp-doc-ps-1.06.2-8.i386.rpm

8. OpenLinux 3.1 Workstation

8.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

The corresponding source code package can be found at:

SRPMS

8.2 Verification

4e3b47bc507d48bf9396e70c806d9a8e RPMS/uucp-1.06.2-8.i386.rpm
41cabb92a4eb86310d01c6a6b2f7453b RPMS/uucp-doc-html-1.06.2-8.i386.rpm
d06d2cd63b739895ebf82fa361266f16 RPMS/uucp-doc-ps-1.06.2-8.i386.rpm
6f3e6037bd3839380f9a4104e55a9a73 SRPMS/uucp-1.06.2-8.src.rpm

8.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh uucp-1.06.2-8.i386.rpm \
uucp-doc-html-1.06.2-8.i386.rpm \
uucp-doc-ps-1.06.2-8.i386.rpm

9. References

This and other Caldera security resources are located at:

http://www.caldera.com/support/security/index.html

This security fix closes Caldera's internal Problem Report 10430.

10. Disclaimer

Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.

11. Acknowledgements

Caldera International wishes to thank Zen Parse for reporting this
problem.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7mLNh18sy83A/qfwRAjufAJ9EDB62Ytxhmm7btRwdaBqFKTefhgCeJLeG
N+UBsH+SqoY7LRBr7hIRE48=
=ukQY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com