Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
100
security advisoryhigh severityremote code executionSuSE: 2001:18 High Severity: Local Privilege Escalation in Kernel
Multiple security vulnerabilities have been found in all Linux kernels of version 2.2 before version 2.2.19. Most of the found errors allow a local attacker to gain root privileges.. ______________________________________________________________________________ SuSE Security Announcement Package: kernel Announcement-ID: SuSE-SA:2001:18 Date: Thursday, May 17th, 2000 16:40 MET Affected SuSE versions: (6.1, 6.2), 6.3, 6.4, 7.0, 7.1 Vulnerability Type: local root compromise Severity (1-10): 7 SuSE default package: yes Other affected systems: All Linux systems using a v2.2 kernel Content of this advisory: 1) security vulnerability resolved: kernel Problem, Workaround, Recommended solution, Instructions, Notes, Verification 2) Acknowledgements 3) standard appendix (further information) ______________________________________________________________________________ 1) The Problem, Workaround, Recommended solution, Instructions, Notes, Verification The Problem: The SuSE Linux kernel is a standard kernel, enhanced with a set of additional drivers and other improvements, to suit the end-user's demand for a great variety of drivers for all kind of hardware. Multiple security vulnerabilities have been found in all Linux kernels of version 2.2 before version 2.2.19. Most of the found errors allow a local attacker to gain root privileges. None of the found errors in the v2.2 linux kernel make it possible for a remote attacker to gain access to the system or to elevate privileges from the outside of the system. Thanks to Alan Cox, a summary of these errors can be found at Linux.com - News For Open Source Professionals . One of the numerous features in the SuSE Linux kernels is support for reiserfs, a fast, stable logging filesystem. In addition tothe bugs listed at https://www.linux.com, the SuSE Linux kernel contains a fix for a race condition between mmap(2) and write(2) in reiserfs that can expose raw data from the disk to an unprivileged user (this problem affected the ufs and ext2fs drivers in FreeBSD systems, see FreeBSD-SA-01:30.ufs-ext2fs at Please see the acknowledgement section 2) below for credits on hunting these bugs and fixing them. Workarounds: In order to solve the security problems, it is recommended to update the kernel to version 2.2.19. Some problems (ptrace race) can be circumvented by removing all suid and sgid bits from all binaries in the system. Since this does not help against the other errors, there is no appropriate temporary workaround against all of the known problems except for locking out users with shell access. Advanced Linux users may decide to compile and install the 2.2.19 kernel themselves by hand. This requires some experience on behalf of the administrator and may not be all satisfying because the standard 2.2.19 kernel does not contain some of the drivers that are included in the SuSE kernel (ppp over ethernet, hardware health monitoring (SMBus), reiserfs, graphics hardware acceleration modules (DRI), ...). Recommended solution: SuSE have chosen to provide update packages for the supported distributions to the newest kernels instead of supplying patched update kernel packages of the same kernel version in order to avoid confusion about whether a vulnerable version of a kernel is installed on a system or not. In addition to the clarifying effect of a visible new kernel version that is known to have all publically known security problems fixed, SAP LinuxLab ( ) have certified this release of the SuSE-enhanced Linux kernel version 2.2.19 with respect to stability and performance. We expect that our usership will benefit from this achievement. Currently, only kernel updatepackages for the Intel i386 distributions are available. The other supported architectures will have their kernel updates in their respective update directories on our ftp server. The SuSE Linux distribution 6.0 was shipped with a kernel of version 2.0. All of the SuSE Linux distributions 6.1, 6.2, 6.3, 6.4, 7.0 and 7.1 are ready for a kernel of version 2.2.19. However, since update support for the SuSE Linux distributions 6.0, 6.1 and 6.2 has been discontinued, we strongly encourage all users of these distributions to update their systems to a newer version of the SuSE Linux distribution. Please know that the full distribution can be installed from our ftp server or one of its mirrors. Experienced Linux users may choose to update their kernels by hand to the latest version 2.2.19. Step-By-Step Installation Instructions: The kernel of a Linux/Un*x system is the most critical component with relation to stability, reliability and security. By consequence, an update of that component requires some care and full attention to succeed. The following paragraphs will guide you through the installation process in a step-by-step fashion. The character sequence "****" marks the beginning of a new paragraph. In some cases, you decide if the paragraph is needed for you or not. Please read through all of the steps down to the end. All of the commands that need to be executed are required to be run as the superuser (root). Each step relies on the steps before to be successfully completed. **** Step 1: Determine the needed RPM package Use the command rpm -qf `awk -F= '/image/{print $2}' < /etc/lilo.conf` to find the name of the kernel RPM package that is installed on your system. Get the respective kernel RPM package from the following location: /kernel/2.2.19/ where is the distribution version of your system (one out of 6.3, 6.4, 7.0 or 7.1). Most installations are likely to run ak_deflt kernel. To verify the integrity of the files that you need to download, see the section "Verification" near the end of this announcement. In SuSE-6.3 distributions, the above command can produce inconclusive results. This is caused by a different kernel installation procedure in this version of the SuSE Linux distribution. To select your kernel type, choose from the following options: k_eide - should be used for "exotic" IDE chipsets, mostly found on additional IDE interface adapters to PCI or ISA bus systems. k_laptop - should be used for laptops. This kernel has APM support configured. k_i386 - a kernel that should run on most i386 processors. Use this kernel package if the k_pentiu kernel will not boot. k_smp - kernel for multiprocessor systems (SMP) k_pentiu - the standard kernel. It should run on most systems. In the case that you have a self-compiled kernel running on your system, please note that most kernels for the newer distributions have APM configured. This obsoletes the need for a particular laptop kernel. k_deflt (after SuSE-6.3) should do on most modern hardware. **** Step 2: SuSE-6.3 special If you have a SuSE-6.3 system, continue to read this paragraph, otherwise jump to Step 3. In SuSE Linux version 6.3, the kernel and the kernel modules are packaged in two different packages. Both packages must be downloaded and installed. On SMP systems, the packages kernmods (-> kernmod-SMP) and k_smp are needed. On single processor systems, get the kernmod package plus the package as determined by the description in Step 1. **** Step 3: Installation of the RPM package Install the rpm package using the command rpm -Uhv where is the rpm package you downloaded in Step 1 (for 6.3 also Step 2, two packages!). If the RPM command complains about conflicting files or unfulfilled dependencies, use the options "--nodeps" and"--force". In this case there is no risk for the consistency of the packages on your system. **** Step 4: aic7xxx If you use an Adaptec aic7xxx SCSI host adapter, continue to read this paragraph, otherwise jump to Step 5. The new kernel comes with two versions for the Adaptec aic7xxx driver. If you have such a card, you should see the driver listed in the output from the command lsmod or you should see the adapter in the output of the command lspci The new driver is known to work reliably. However, if you encounter any problems with CDROM drives or other removeable devices (CD-RW drives, tapes, etc) after this kernel upgrade, then you should try to use the old driver which is called aic7xxx_old instead of aic7xxx. If you decide to make this change, then the steps 6 and 7 are mandatory for the update to succeed, regardless if you get back to this paragraph after your first reboot or not. To use the old driver, please use your favourite editor to edit the file /etc/rc.config. Change aic7xxx into aic7xxx_old at the line that starts with INITRD_MODULES. You should find it near the top of the file. Do not forget to save your changes. Then go to Steps 6 and 7. If you want to use the new driver, then do not change anything. **** Step 5: LVM If you use LVM, then continue to read this paragraph, otherwise jump to Step 6. If you use LVM (Logical Volume Manager) in your installation of SuSE Linux, then you need the updated lvm package from the kernel/2.2.19/ directory for your distribution as well. The package contains the userspace utilities to manage the Logical Volume Manager driver. An update package is needed because the LVM data format/structure on disk has changed with the new version of the LVM kernel driver. Install the package as usual using the command rpm -Uhv lvm-0.9.1_beta4-12.i386.rpm Be sure you have downloaded the package for the explicit version ofyour SuSE Linux Installation. The package names are identical for all distribution versions. WARNING: After the first boot with the new kernel you will not be able to downgrade to older versions of LVM any more. **** Step 6: initrd Upon kernel boot (after lilo runs), the kernel needs to use the drivers for the device (disk/raid) where the root filesystem is located. If this driver is not compiled into the kernel, it is supplied as a kernel module that must be loaded _before_ the root filesystem is mounted. This is done using a ramdisk that is loaded along with the kernel by lilo (See next Step). This ramdisk, called "initrd", must be generated using the command mk_initrd The modules as configured in the variable INITRD_MODULES from /etc/rc.config (See Step 4) are being added to the initrd. Without the "mk_initrd"-call your system might not boot any more. **** Step 7: lilo lilo is responsible for loading the kernel image and the initrd ramdisk image into the system and for transferring control over the system to the kernel. Therefore, a proper installation of the bootloader (by calling the program lilo) is essential for the system to boot (!). Manually changed settings in /etc/lilo.conf require the admin to make sure that /boot/vmlinuz is listed in the first "image" line in that file. Verify that the line starting with initrd= is set to initrd=/boot/initrd Execute lilo and you should see your label in an output like Added linux * Every other output should be considered an error and requires attention. If your system managed to reboot before the upgrade, you should not see any additional output from lilo at this stage. **** Step 8: SuSE-7.0 special If you have a SuSE Linux 7.0 distribution, then continue to read this paragraph, otherwise jump to Step 9. During testing of the 2.2.19-SuSE Linux kernel, we have found an error in the glibc (shlibs) packageof the SuSE Linux 7.0 distribution. The error might result in readdir(3) calls to return -EIO to the user program due to incorrect handling of the return value of getdents(2) from the kernel. This bug mostly appears on NFS-mounted filesystems when commands such as tar(1) are used. We have prepared update packages that solve this specific problem. Former security updates are included in this package, of course. Determine which packages you need: See the output of the command rpm -q shlibs libc libd nssv1 It should not be necessary to update a package that is not installed. Select the needed update packages and download them from the following list of URLs 7.0/a1/nssv1-2.1.3-193.i386.rpm 7.0/d1/libc-2.1.3-193.i386.rpm 7.0/d2/libd-2.1.3-193.i386.rpm !!! !!! WARNING: !!! !!! After download and before installation of the glibc packages, the system should be brought to single user mode ("init 1"). If this is not suitable for operational reasons, then please keep the system as calm as at all possible during the update of the shlibs and nssv1 packages. In particular, do not run any shell scripts or any other processes that execute other binaries. Stop the cron and at services, and shut down your MTA. Suspend the execution of active processes by killing them with the -STOP signal and let them resume their work after the installation of the shlibs and nssv1 packages with a -CONT signal. After verifying that the right conditions are in place, install the packages using the command rpm -Fhv nssv*.rpm shlibs*.rpm rpm -Fhv Afterwards, execute the command ldconfig to update the cache for the dynamic linker. NOTE: updating shared libraries in the running system requires enough space on the root and /usr filesystem to keep both versions of the shared libraries on the disk. The old libraries will be deleted, but thefiles continue to use diskspace until they are not used by any processes any more. (See Step 9). Similar considerations apply for the the memory consumption of the system. **** Step 9: reboot Reboot your machine for the new kernel to boot and therefore become active. Make sure that all of the above steps have completed successfully. Shutdown and reboot using the command shutdown -r now or init 6 Notes: a) After the upgrade, you might notice kernel messages upon execution of an NFS mount command: silence kernel: nfs warning: mount version older than kernel These messages are complaints that the mount(8) command needs to be upgraded. The mount(8) command is contained in the package "util" ("util-linux" for SuSE-7.1) - we will provide update packages for the "util" ("util-linux" for SuSE-7.1) package. The change is mostly a cosmetic nature and does not have any impact on the security or the stability of the system. b) The kernel sources are contained in the RPM kernel/2.2.19/lx_sus22-2.2.19.SuSE-25.i386.rpm in each distribution update tree. The kernel documentation is in the package kernel/2.2.19/lx_doc22-2.2.19.SuSE-25.i386.rpm and installs to the base path /usr/share/doc/kernel/. c) The directory kernel/misc/ in each distribution tree contains the .config files, the spec and changes file as well as the compilation output for the respective kernel, each in a directory where it belongs to. In addition, the sources for the lvm package can be found in the lvm directory as appropriate. Known problems: * The kernel modules for the cipe and the freeswan packages are not contained in the kernel RPM packages. If you use these packages, then you should wait with the kernel update until the kernel modules for these packages are available, or you could recompile the kernel modules yourself (Seesection Notes b). Please read the section 2) of the upcoming SuSE security announcements for the location of the cipecb.o and ipsec.o kernel modules. Verification: All RPM packages are gpg-signed using the
May 17, 2001
•Important
SuSE
100
security advisorysecurity issueSuSEGentoo: 2002:03 Serious Privilege Escalation Vulnerability in Sudo
kdesu has a flaw which may allow a malicious user to retrieve the root password by listening to a UNIX socket.. ______________________________________________________________________________ SuSE Security Announcement Package: kdesu Announcement-ID: SuSE-SA:2001:02 Date: Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 3 SuSE default package: yes Other affected systems: All KDE 1 & KDE 2 systems Content of this advisory: 1) security vulnerability resolved: kdesu problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information kdesu is a KDE frontend for su(1). When invoked it prompts for the root password and runs su(1). kdesu itself does not run setuid/setgid. However when enabling the 'keep password' option it tries to send the password across process boundaries to kdesud via a UNIX socket. During this it does not verify the identity of the listener on the other end. This allows attackers to obtain the root password. This bug has been fixed in the update packages by checking the ownership of the socket on the listener side. Download the update package from locations desribed below and install the package with the command `rpm -Uhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below. i386 Intel Platform: SuSE-6.1: 3d51f84f2dc87916bc937f3afe507c1a SuSE-6.1: 3d51f84f2dc87916bc937f3afe507c1a source rpm: f8764afd475fa7a41c18603d15ce48ab SuSE-6.2: 027617e19c957b1ed5f42f140b62521b SuSE-6.2: 027617e19c957b1ed5f42f140b62521b source rpm: 9cf3d4b0c00db4598968dd5c7e07eef7 SuSE-6.3: d2b6c6f3330a20c2eb7d5500de2f9df6 SuSE-6.3: d2b6c6f3330a20c2eb7d5500de2f9df6 source rpm: a50cc8ba1a793f9151559454fdad0a14 SuSE-6.4: 8f06dd49bdc00dca25eff33a3754ddee SuSE-6.4: 8f06dd49bdc00dca25eff33a3754ddee source rpm: 0ca2d30cf51d1307f88581d4e240bbf0 SuSE-7.0: c7238ea5775939239b3857b550ca9f1b SuSE-7.0: c7238ea5775939239b3857b550ca9f1b source rpm: bc74c75ba0b514f7df4f0250ccc7454a Sparc Platform: AXP Alpha Platform: SuSE-6.1: 8017cd7fed463cae4bef3fa471e7e1d8 SuSE-6.1: 8017cd7fed463cae4bef3fa471e7e1d8 source rpm: 78846e4ae3f50e9264e8840da1a628a8 SuSE-6.3: cf1629ba236c0c84e0f2b33101b5f1aa SuSE-6.3: cf1629ba236c0c84e0f2b33101b5f1aa source rpm: da851ebaee36cb91cb1e1fca0c8bfda2 SuSE-6.4: d1904cc9db320ea2c576b73633ee6bd5 SuSE-6.4: d1904cc9db320ea2c576b73633ee6bd5 source rpm: 27261cf8ff0ea66a597520260b832f7d SuSE-7.0: be3b258eeeb3c56351b93ec8a32826db SuSE-7.0: be3b258eeeb3c56351b93ec8a32826db source rpm: b7e3139377784c5cbbc4f14a5061d124 PPC Power PC Platform: SuSE-6.4: 705afa4defc64c48f89dd94b2d52c296 SuSE-6.4: 705afa4defc64c48f89dd94b2d52c296 source rpm: 32e626fa7e8206d6803957c77062185b SuSE-7.0: e9b4a8a26844af0bc8cb37c8d2d26530 SuSE-7.0: e9b4a8a26844af0bc8cb37c8d2d26530 source rpm: aaa092ffafe149ef8ba3acf570966e09 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - Kmail remote code execution. This issue will be adressed in following advisories. - pgp4pine bufferoverflow. Very unlikely to be exploited, but next advisories will contain information on this as well as URL's for patches. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe:
Jan 30, 2001
•Important
SuSE
100
security advisorysecurity updateSuSESuSE: 2001:01 Moderate - Local Root Vulnerability in glibc Library
The dynamic linker will add user-defined shared libraries to the memory space of a program to be started.. ______________________________________________________________________________ SuSE Security Announcement Package: glibc (shlibs) Announcement-ID: SuSE-SA:2001:01 Date: Friday, January 26th, 2001 15:40 MET Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 6 SuSE default package: yes Other affected systems: most Linux/glibc based systems Content of this advisory: 1) security vulnerability resolved: glibc problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information ld-linux.so.2, the dynamical linker, adds shared libraries to the memoryspace of a program to be started. Its flexibility allows for some environment variables to influence the linking process such as preloading shared libraries as well as defining the path in which the linker will search for the shared libraries. Special care must be exercised when runtime-linking setuid- or setgid-binaries: The runtime-linker must not link against user-specified libraries since the code therein would then run with the elevated privileges of the suid binary. The runtime-linker as used in the SuSE distributions ignores the content of the critical environment variables if the specified path begins with a slash ("/"), or if the library file name is not cached (eg it is contained in a path from /etc/ld.so.conf). However, Solar Designer has found out that even preloading glibc- native shared libraries can bedangerous: The code in the user-linked library is not aware of the fact that the binary runs with suid or sgid privileges. Using debugging features of the glibc (and possibly other features) it is possible for a local attacker to overwrite arbitrary files with the elevated privileges of the suid/sgid binary executed. This may lead to a local root compromise. To eliminate these problems, we provide update packages that completely disregard the LD_* variables upon runtime-linking of a binary that has an effective uid different from the caller's userid. Download the update package from locations desribed below and install the package with the command `rpm -Uhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below. SPECIAL INSTALL INSTRUCTIONS: ============================= The glibc (the shlibs package) is an intrinsic part of the GNU/Linux operating system since most binary executables are dependent on the shared libraries from that package. For this reason, special care must be taken while updating the shlibs package. After downloading the binary rpm files, make sure that your system is idle by bringing it down to Single User Mode (`init 1´). If this is not applicable for operational reasons, then keep your machine as calm as possible while you perform the update. In particular, make sure that no shell scripts are running during the update. Install the package using the command rpm -Uhv package-rpm-file Do _NOT_ interrupt the operation of the rpm command! After the installation, execute the commands ldconfig # alternatively, use SuSEconfig /sbin/init u # will restart init At this point, the update is done. On low-memory machines a reboot is advisable to free the memory that is usedby the old memory-mapped libraries. Note 1: The upcoming SuSE-7.1 distribution is based on glibc-2.2. This distribution is not affected by the security problems in glibc as discussed in security forums. Note 2: The source rpm for the shlibs package is called "libc*.rpm". Multiple binary rpm packages are being generated from this source rpm package. These include: localedb, nssv1, shlibs, timezone. To get a fix for the runtime-linker related security issue (topic of this announcement), it is only necessary to update the shlibs binary rpm package. SuSE-7.0 94ccbb80d2841f08f2b7322671d6e7f3 source rpm: 3d15b6ffff534f0bf705882dbd8a2551 SuSE-6.4 bc03f1a6f32a66958128e9450e355698 source rpm: e8f2aa8d32122edfbe3c436a52abb847 SuSE-6.3 8d572332c67b488e5d64a8d4d3274e90 source rpm: 8e1f861112f4a921ea4c7b5631304ee6 SuSE-6.2 b6b4cfe73e46c5b3bd5b626d68dfa584 source rpm: 67fcd70b40f145b5f40b86f7254e35be SuSE-6.1 SuSE-6.0 The rpm packages are being produced as this announcement is written. The md5sums for these rpm packages will be provided on the ftp-server, signed with the
Jan 26, 2001
SuSE
100
security advisorySuSEhighUbuntu: 2021:32 High Severity Local Root Compromise in Modules Package
Newer versions of the modprobe program contain a bug which allows local users to gain root priviledges.. ______________________________________________________________________________ SuSE Security Announcement Package: modules Announcement-ID: SuSE-SA:2000:44 Date: Monday, November 13th, 2000 10:00 MEST Affected SuSE versions: 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 8 SuSE default package: yes Other affected systems: many newer Linux distributions Content of this advisory: 1) security vulnerability resolved: modprobe shell metacharacter expansion problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The modules package is responsible for on-demand loading of kernel modules/drivers. The /sbin/modprobe command, when executed as a new task by the kernel-internal function request_module(), runs with the priviledges of the init process, usually root. Newer versions of the modprobe program contain a bug which allows local users to gain root priviledges. modprobe expands given arguments via /bin/echo and can easily be tricked into executing commands. In order for this bug to be exploitable, a setuid root program must be installed that can trigger the loading of modules (such as ping6). The fix for this bug consists of a change to modprobe which disables the expansion of arguments to modprobe via /bin/echo. A temporary workaround for this bug is to disable the automatic loading of modules in the running kernel by running the command (as root) /sbin/sysctl -w kernel.modprobe=/ or echo "/" > /proc/sys/kernel/modprobe Please note that this temporary workaround will have to be repeated after the next reboot to become effective again. Download the update package from locations desribed below and install the package with the command `rpm -Uhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below. i386 Intel Platform: SuSE-7.0 9643216a1e0c147635ef62d894a9d7ad source rpm: Due to a packaging error, the modules package source rpm is not available on our ftp servers yet. It will appear at the location above in very few hours. SuSE-6.4 d3a95b93e549aae9a462e84d179efe45 source rpm: Due to a packaging error, the modules package source rpm is not available on our ftp servers yet. It will appear at the location above in very few hours. Sparc Platform: SuSE-7.0 c0ab9aab7a61cefdb2cade98c663d4e3 source rpm: Due to a packaging error, the modules package source rpm is not available on our ftp servers yet. It will appear at the location above in very few hours. AXP Alpha Platform: SuSE-6.4 a88b84d7f3d79f2a47ff9e78681a0390 source rpm: Due to a packaging error, the modules package source rpm is not available on our ftp servers yet. It will appear at the location above in very few hours. PPC Power PC Platform: SuSE-7.0: ef09b5c6438a0de8e18653e0a60d9c4c source rpm: Due to a packaging error, the modules package source rpm is not available on our ftp servers yet. It will appear at the location above in very few hours. SuSE-6.4 27ba13500292c44969dd865f0c543c19 source rpm: Due to a packaging error, the modulespackage source rpm is not available on our ftp servers yet. It will appear at the location above in very few hours. ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: A seperate message is being prepared to address the currently ongoing security vulnerabilites. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe:
Nov 13, 2000
•Critical
SuSE
100
security advisorySuSEsoftware updateSuSE: 2000-09-06 Local Root Compromise in glibc - Severity 9
The glibc implementations in all SuSE distributions starting with SuSE-6.0 have multiple security problems. -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: shlibs (glibc-2.0, glibc-2.1) Date: Wednesday, September 6th, 2000 12:30 MEST Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 9 SuSE default package: yes Other affected systems: all glibc based linux systems, other Un*x systems Content of this advisory: 1) security vulnerability resolved: shlibs (glibc) problem description, discussion, solution and upgrade information 2) pending vulnerabilities, temporary workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The glibc implementations in all SuSE distributions starting with SuSE-6.0 have multiple security problems where at least one of them allows any local user to gain root access to the system. a) ld-linux.so.2, the runtime linker, is supposed to clean environment variables that may influence the execution of programs ran by a suid program. Variables of that kind include LD_LIBRARY_PATH and LD_PRELOAD. These variables do not have any effect on the suid application itself since the linker ignores them. However, if the suid program executes another non-suid application without dropping privileges and without cleaning the environment, the LD_* variables would allow an attacker to execute arbitrary code as the effective uid of the calling suid program. There is currently no program in the SuSE distribution known to besusceptible to this problem. b) locale handling portions of the glibc code fails to properly check given environment settings such as the variable LANGUAGE. This could lead to arbitrary code being executed as root, depending on the permissions and ownerships of the program being used for the exploit. c) A bug in the mutex handling code in the shlibs version for SuSE-7.0 could cause multithreaded applications to hang or crash. This has also been fixed. There is only one way to temporarily circumvent the exploit: Disable all suid applications in the system. SuSE provides a updated packages for the vulnerable libraries. It is strongly recommended to upgrade to the latest version found on our ftp server as described below. The update packages remove all currently known security problems in the glibc package. Download the update packages as described below and install the package with the command `rpm -Fhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below. SPECIAL INSTALL INSTRUCTIONS: Note that the complete update consists of three (3) binary rpm packages and one source rpm package per distribution and platform. libc-*.rpm contains the static libraries, libd is the package for the profiling+debugging version of the libraries. If at all possible, keep your machine calm while you perform the update. Execute the following commands after the rpm update has been applied: /sbin/ldconfig # alternatively, use SuSEconfig /sbin/init u # will restart init to make a clean shutdown # possible once needed. i386 Intel Platform: SuSE-7.0 753176172ebf628c6567c70a9b950933 0f0696fc359cdb7b13f40a52d6676f09 4ca3268f91a9294313cf871e9f7cb8b8 source rpm: a6af3232fe6d474d6309c68469c126ec SuSE-6.4 150dcb3854b066c021c396b4a0fe25e6 75c9aef75d6e7e4b196c21bb500d00e0 47fff508b0b67a82356361aa23c8beae source rpm: bfeaa4e15ecbe1fea986b710152b5fec SuSE-6.3 8e88f237414a4d8f96131b17267b4d53 575bb0c94474add7ae02333cbb77cba0 8728db143b6393a261aa9060d9321345 source rpm: eea1810dceafe5e7f77b4b5137829834 SuSE-6.2 78360eddc58f3897a14327d2fa214191 456cad1d8034d40ebbf8337d1308c4de 6dccdf557c6d329b40238a1644368564 source rpm: cec489c212826cb2dcc65a602da61da3 SuSE-6.1 7a272e7f15fd2dec69401d4c788de015 c748944bbe8a55f69478e6ef0bda843a 7fce2e2e41b62dc985e48ee31f6dac1c source rpm: 77fa60f5a3a10e02460bd1960b1f78f6 Please use the packages from the SuSE-6.1 directory for SuSE-6.0! Sparc Platform: SuSE-7.0: 1563171d7ee17a3048500afd4424927d a907fbb3e5e48664cadb6b75570e15b2 f60071e3a497e3af48078338b3bd6610 source rpm: 690a34f9ddb6bd6edf41a07d5fba0ad4 AXP Alpha Platform: SuSE-6.4 d08a782d1dc1cc406b2141727295befe 730c9b3c98f9d243c09ce41c5c4240a5 0c2ba3d11a42d84f48b1ee79a15e36b2 source rpm: a5f2a207c6f8b179bbd91cea9c96711d SuSE-6.3 afc0ac7f3db066702fbd19bfaa216751 3530ef711231a5b378d14fe70e2971f6 5836a7a1557046b0c3498b7dec1ee436 source rpm: 0100769ad09d68563a7540ba73c826d7 SuSE-6.1 64c59dcb13069293694faf845446463e 2b8df961dcfb42933cdf298f9229cffd 75dd4bcfb0bf2cc64fe8dd5bfc4a69f0 source rpm: 11871baa8279f8c0c79f6c9d95ca531c PPC Power PC Platform: SuSE-6.4 8565cd463e4fbbccc39aa96f1eefdc70 987ed3d338fb7c42083cf6dd2057ce0b a212f188cf31d55c2016236d2c313cf4 source rpm: 401b4f2f306a065fb04edd89cd153364 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: This section addresses currently known vulnerabilities in Linux/Unix systems that have not been resolved yet as of the release date of this advisory. - screen local root compromise. Update+advisory follows this advisory. - zope SuSE distributions before 7.0 do not contain zope as a package. An updated package for the freshly released SuSE-7.0 is on the way. - xchat A fix for the URL handler vulnerabilty is in progress and will be released within a few days. There is currently no effective and easy workaround other than removing the package by hand (`rpm -e xchat'). More information on xchat can be found in xchat's documentation directory /usr/doc/packages/xchat or /usr/share/doc/packages/xchat for SuSE-7.0. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe:
Sep 06, 2000
•Critical
SuSE
100
security advisorybuffer overflowlocal root compromiseUbuntu: 101965 Severe: Cdwtools Local Threat from Buffer Overflows
The cdwtools package is a frontend for various programs used to create CDs. Several buffer overflows and /tmp vulnerabilities exist in the cdwtools package. Thanks to Brock Tellier bringing this problem to our attention. . ______________________________________________________________________________ SuSE Security Announcement Package: cdwtools < 093 Date: Wed Oct 20 13:04:19 CEST 1999 Affected: all Linux distributions using cdwtools _____________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note, that that we provide this information on as "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. _____________________________________________________________________________ 1. Problem Description The cdwtools package is a frontend for various programs used to create CDs. Several buffer overflows and /tmp vulnerabilities exist in the cdwtools package. Thanks to Brock Tellier bringing this problem to our attention. 2. Impact Everyone having the cdwtools package installed and SuSE configured for "easy" security setting (which is the default) are vulnerable to a local root compromise. 3. Solution Update the cdwtools package. See below. ______________________________________________________________________________ Here are the md5 checksums of the upgrade packages, please verify these before installing the new packages: 1d71866d165c7f5f1b84565313b02ea5 cdwtools-0.93-101.i386.rpm (6.1/x86) 53c3d210034cf8abb140977c8d5deb69 cdwtools-0.93-100.i386.rpm (6.2/x86) 74a493d82128566836cd3953ea23da82 cdwtools-0.93-101.alpha.rpm (6.1/AXP) ______________________________________________________________________________ You will find the update on our ftp-Server: Webpage for patches: https://www.suse.com/de-de/ or try the following web pages for a list of mirrors: https://www.suse.com/de-de/ ______________________________________________________________________________ . A major vulnerability identified in cdwtools, users advised to upgrade promptly to avert potential local root access exploitation on Linux platforms.. cdwtools Update, Buffer Overflow, Local Threat. . Severity: Critical. LinuxSecurity.com Team
Dec 08, 1999
•Critical
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!