SuSE: ipppd buffer overflows


______________________________________________________________________________

                        SuSE Security Announcement

        Package:                i4l
        Announcement-ID:        SuSE-SA:2002:030
        Date:                   Mon Aug 12 11:00:00 CEST 2002
        Affected products:      7.3, 8.0,
                                SuSE Linux Database Server,
                                SuSE eMail Server 3.1,
                                SuSE eMail Server III,
                                SuSE Firewall Adminhost VPN,
                                SuSE Linux Admin-CD for Firewall,
                                SuSE Linux Live-CD for Firewall,
                                SuSE Linux Connectivity Server,
                                SuSE Linux Enterprise Server 7
        Vulnerability Type:     local privilege escalation
        Severity (1-10):        5
        SuSE default package:   Yes
        Other affected systems: No

    Content of this advisory:
        1) security vulnerability resolved: buffer overflows in ipppd
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

    The i4l package contains several programs for ISDN maintenance and
    connectivity on Linux. The ipppd program which is part of the package
    contained various buffer overflows and format string bugs. Since ipppd
    is installed setuid to root and executable by users of group 'dialout'
    this may allow attackers with appropriate group membership to execute
    arbitrary commands as root.
    The i4l package is installed by default and also vulnerable if you do
    not have a ISDN setup. The buffer overflows and format string bugs have
    been fixed. We strongly recommend an update of the i4l package.
        If you do not consider updating the package it is also possible to
    remove the setuid bit from /usr/sbin/ipppd as a temporary workaround.
        The SuSE Security Team is aware of a published exploit for ipppd
    that gives a local attacker root privileges so you should either update
    the package or remove the setuid bit from ipppd.

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.

    i386 Intel Platform:

    SuSE-8.0
      
      cfd29e3bfb2466dc15eafae8c8280b3d
    source rpm:
      
      fdb75de724d373dee4d21ce3e9be176e

    SuSE-7.3
      
      1d5fff19d48eb1b0652c21c139fdf53d
    source rpm:
      
      b0b5ac3c6f03f848170a158b5fee4e72


    Sparc Platform:

    SuSE-7.3
      
      2fd232a50e27055831fd35337e6d73e7
    source rpm:
      
      cdef29bad89fcc6c2e4d0be38377edfa


    PPC Power PC Platform:

    SuSE-7.3
      
      90939fabf3b1fcd8dd143e969b830dea
    source rpm:
      
      220bb5b9c5f16605beff26b961eba11a

______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

    - docbook
    In past some distributors provided updates for their docbook packages
    to fix a problem within the docbook configuration-files which allowed
    evil input-files to create arbitrary files within the users scope. However
    the supplied configuration-fixes can easily be circumvented by offering
    certain style-sheet files along with the evil input-file.
    Because of this fact SuSE does not offer updates for the docbook packages
    but rather strongly recommends to not process untrusted files with the
    docbook utilities.

    - openldap2
    Andrew McCall reported a problem within the openldap2 package which could
    lead to a denial of service attack against the slapd server. This problem
    has been fixed. New openldap2 packages will soon be available.

______________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SuSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum 
       after you downloaded the file from a SuSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key security@suse.de),
       the checksums show proof of the authenticity of the package.
       We disrecommend to subscribe to security lists which cause the
       email message containing the announcement to be modified so that
       the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig 
       to verify the signature of the package, where  is the
       filename of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an un-installed rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SuSE in rpm packages for SuSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SuSE Linux distributions version 7.1 and thereafter install the
           key "build@suse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the top-level directory of the first CD (pubring.gpg)
           and at   .


  - SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
        -   SuSE's announce-only mailing list.
            Only SuSE's security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

    ====================================================================    SuSE's security contact is <security@suse.com> or <security@suse.de>.
    The <security@suse.de> public key is listed below.
    ====================================================================______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular,
    it is desired that the clear text signature shows proof of the
    authenticity of the text.
    SuSE Linux AG makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

______________________________________________________________________________ SuSE Security Announcement Package: i4l Announcement-ID: SuSE-SA:2002:030 Date: Mon Aug 12 11:00:00 CEST 2002 Affected products: 7.3, 8.0, SuSE Linux Database Server, SuSE eMail Server 3.1, SuSE eMail Server III, SuSE Firewall Adminhost VPN, SuSE Linux Admin-CD for Firewall, SuSE Linux Live-CD for Firewall, SuSE Linux Connectivity Server, SuSE Linux Enterprise Server 7 Vulnerability Type: local privilege escalation Severity (1-10): 5 SuSE default package: Yes Other affected systems: No Content of this advisory: 1) security vulnerability resolved: buffer overflows in ipppd problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The i4l package contains several programs for ISDN maintenance and connectivity on Linux. The ipppd program which is part of the package contained various buffer overflows and format string bugs. Since ipppd is installed setuid to root and executable by users of group 'dialout' this may allow attackers with appropriate group membership to execute arbitrary commands as root. The i4l package is installed by default and also vulnerable if you do not have a ISDN setup. The buffer overflows and format string bugs have been fixed. We strongly recommend an update of the i4l package. If you do not consider updating the package it is also possible to remove the setuid bit from /usr/sbin/ipppd as a temporary workaround. The SuSE Security Team is aware of a published exploit for ipppd that gives a local attacker root privileges so you should either update the package or remove the setuid bit from ipppd. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.0 cfd29e3bfb2466dc15eafae8c8280b3d source rpm: fdb75de724d373dee4d21ce3e9be176e SuSE-7.3 1d5fff19d48eb1b0652c21c139fdf53d source rpm: b0b5ac3c6f03f848170a158b5fee4e72 Sparc Platform: SuSE-7.3 2fd232a50e27055831fd35337e6d73e7 source rpm: cdef29bad89fcc6c2e4d0be38377edfa PPC Power PC Platform: SuSE-7.3 90939fabf3b1fcd8dd143e969b830dea source rpm: 220bb5b9c5f16605beff26b961eba11a ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - docbook In past some distributors provided updates for their docbook packages to fix a problem within the docbook configuration-files which allowed evil input-files to create arbitrary files within the users scope. However the supplied configuration-fixes can easily be circumvented by offering certain style-sheet files along with the evil input-file. Because of this fact SuSE does not offer updates for the docbook packages but rather strongly recommends to not process untrusted files with the docbook utilities. - openldap2 Andrew McCall reported a problem within the openldap2 package which could lead to a denial of service attack against the slapd server. This problem has been fixed. New openldap2 packages will soon be available. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe@suse.com>. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe@suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively. ==================================================================== SuSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below. ====================================================================______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear text signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By