7083579 2001-09-10 11:06 -0600 /223 rader/ Support Info <supinfo@caldera.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-09-11 01:07 av Brevbäraren
Extern mottagare: announce@lists.caldera.com
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: linux-security@redhat.com
Extern mottagare: linuxlist@securityportal.com
Mottagare: Bugtraq (import) <19143>
Ärende: Security Update [CSSA-033.0]Linux - uucp argument handling problems
------------------------------------------------------------
From: Support Info <supinfo@caldera.com>
To: announce@lists.caldera.com, bugtraq@securityfocus.com,
linux-security@redhat.com, linuxlist@securityportal.com
Message-ID: <20010910110610.A5682@phoenix.calderasystems.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux - uucp argument handling problems
Advisory number: CSSA-2001-033.0
Issue date: 2001, September 07
Cross reference:
______________________________________________________________________________
1. Problem Description
There is a argument handling problem which allows a local attacker
to gain access to the uucp group. Using this access the attacker
could use badly written scripts to gain access to the root account.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
uucp-1.06.2-8OL
OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder uucp-1.06.2-8OL
OpenLinux eDesktop 2.4 All packages previous to
uucp-1.06.2-8OL
OpenLinux Server 3.1 All packages previous to
uucp-1.06.2-8
OpenLinux Workstation 3.1 All packages previous to
uucp-1.06.2-8
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
dd0f6e46374d62c349bf7a1f618a23a0
RPMS/uucp-1.06.2-8OL.i386.rpm 33b96ff362a261b87f73b2377fa20a5d
RPMS/uucp-doc-1.06.2-8OL.i386.rpm
e602cfba314e2519e2762bfecac9024c SRPMS/uucp-1.06.2-8OL.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8OL.i386.rpm \
uucp-doc-1.06.2-8OL.i386.rpm
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
ee5c7f9bf1887d3c34f8c232b70a84b7
RPMS/uucp-1.06.2-8OL.i386.rpm 26f7f712e318c63a5deea1474a58e06f
RPMS/uucp-doc-1.06.2-8OL.i386.rpm
e602cfba314e2519e2762bfecac9024c SRPMS/uucp-1.06.2-8OL.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8OL.i386.rpm \
uucp-doc-1.06.2-8OL.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
1f00b87ce48e72d8a4bd754123d554d4
RPMS/uucp-1.06.2-8OL.i386.rpm c00296b93945c8778c46252e975818d2
RPMS/uucp-doc-1.06.2-8OL.i386.rpm
e602cfba314e2519e2762bfecac9024c SRPMS/uucp-1.06.2-8OL.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8OL.i386.rpm \
uucp-doc-1.06.2-8OL.i386.rpm
7. OpenLinux 3.1 Server
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
7.2 Verification
4e3b47bc507d48bf9396e70c806d9a8e RPMS/uucp-1.06.2-8.i386.rpm
41cabb92a4eb86310d01c6a6b2f7453b
RPMS/uucp-doc-html-1.06.2-8.i386.rpm
d06d2cd63b739895ebf82fa361266f16
RPMS/uucp-doc-ps-1.06.2-8.i386.rpm
6f3e6037bd3839380f9a4104e55a9a73 SRPMS/uucp-1.06.2-8.src.rpm
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8.i386.rpm \
uucp-doc-html-1.06.2-8.i386.rpm \
uucp-doc-ps-1.06.2-8.i386.rpm
8. OpenLinux 3.1 Workstation
8.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS
8.2 Verification
4e3b47bc507d48bf9396e70c806d9a8e RPMS/uucp-1.06.2-8.i386.rpm
41cabb92a4eb86310d01c6a6b2f7453b
RPMS/uucp-doc-html-1.06.2-8.i386.rpm
d06d2cd63b739895ebf82fa361266f16
RPMS/uucp-doc-ps-1.06.2-8.i386.rpm
6f3e6037bd3839380f9a4104e55a9a73 SRPMS/uucp-1.06.2-8.src.rpm
8.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8.i386.rpm \
uucp-doc-html-1.06.2-8.i386.rpm \
uucp-doc-ps-1.06.2-8.i386.rpm
9. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 10430.
10. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through
our security advisories. Our advisories are a service to our
customers intended to promote secure installation and use of
Caldera OpenLinux.
11. Acknowledgements
Caldera International wishes to thank Zen Parse for reporting this
problem.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7mLNh18sy83A/qfwRAjufAJ9EDB62Ytxhmm7btRwdaBqFKTefhgCeJLeG
N+UBsH+SqoY7LRBr7hIRE48=
=ukQY
-----END PGP SIGNATURE-----
�
(7083579) /Support Info <supinfo@caldera.com>/(Ombruten)