Stay Secure with the Latest Linux Advisories

security advisorybuffer overflowlocal privilege escalation

SuSE: 2002:030 Moderate Risk: Potential i4l Local Escalation Issue

The ipppd program contained various buffer overflows and format string bugs. Since ipppd is installed setuid to root and executable by users of group 'dialout' this may allow attackers with appropriate group membership to execute arbitrary commands as root.. ______________________________________________________________________________ SuSE Security Announcement Package: i4l Announcement-ID: SuSE-SA:2002:030 Date: Mon Aug 12 11:00:00 CEST 2002 Affected products: 7.3, 8.0, SuSE Linux Database Server, SuSE eMail Server 3.1, SuSE eMail Server III, SuSE Firewall Adminhost VPN, SuSE Linux Admin-CD for Firewall, SuSE Linux Live-CD for Firewall, SuSE Linux Connectivity Server, SuSE Linux Enterprise Server 7 Vulnerability Type: local privilege escalation Severity (1-10): 5 SuSE default package: Yes Other affected systems: No Content of this advisory: 1) security vulnerability resolved: buffer overflows in ipppd problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The i4l package contains several programs for ISDN maintenance and connectivity on Linux. The ipppd program which is part of the package contained various buffer overflows and format string bugs. Since ipppd is installed setuid to root and executable by users of group 'dialout' this may allow attackers with appropriate group membership toexecute arbitrary commands as root. The i4l package is installed by default and also vulnerable if you do not have a ISDN setup. The buffer overflows and format string bugs have been fixed. We strongly recommend an update of the i4l package. If you do not consider updating the package it is also possible to remove the setuid bit from /usr/sbin/ipppd as a temporary workaround. The SuSE Security Team is aware of a published exploit for ipppd that gives a local attacker root privileges so you should either update the package or remove the setuid bit from ipppd. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.0 cfd29e3bfb2466dc15eafae8c8280b3d source rpm: fdb75de724d373dee4d21ce3e9be176e SuSE-7.3 1d5fff19d48eb1b0652c21c139fdf53d source rpm: b0b5ac3c6f03f848170a158b5fee4e72 Sparc Platform: SuSE-7.3 2fd232a50e27055831fd35337e6d73e7 source rpm: cdef29bad89fcc6c2e4d0be38377edfa PPC Power PC Platform: SuSE-7.3 90939fabf3b1fcd8dd143e969b830dea source rpm: 220bb5b9c5f16605beff26b961eba11a ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - docbook In past some distributors provided updates for their docbook packages to fix a problem within the docbook configuration-files which allowed evil input-files to create arbitrary files within the users scope. However the supplied configuration-fixes can easily be circumvented by offering certain style-sheet filesalong with the evil input-file. Because of this fact SuSE does not offer updates for the docbook packages but rather strongly recommends to not process untrusted files with the docbook utilities. - openldap2 Andrew McCall reported a problem within the openldap2 package which could lead to a denial of service attack against the slapd server. This problem has been fixed. New openldap2 packages will soon be available. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key This email address is being protected from spambots. You need JavaScript enabled to view it. ), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key " This email address is being protected from spambots. You need JavaScript enabled to view it. " upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at . - SuSE runs two security mailing lists to which any interested party may subscribe: This email address is being protected from spambots. You need JavaScript enabled to view it. - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . This email address is being protected from spambots. You need JavaScript enabled to view it. - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. ==================================================================== SuSE's security contact is or . The public key is listed below. ====================================================================______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear text signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. . Discover the critical security warning related to SuSE's i4l component, which emphasizes the risk associated with unapproved root command execution.. local privilege escalation, SuSE i4l update, buffer overflow protection. . LinuxSecurity.com Team

Aug 12, 2002 SuSE