OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Roman Drahtmueller (drahtsuse.de)
Date: Fri May 18 2001 - 22:26:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > DESCRIPTION:
    > I found a buffer overflow vunerability on the
    > /usr/bin/dsh (dqs 3.2.7
    > package).
    >
    > I really don't know if this bug was discovered
    > already. if thats right,
    > then sorry =).

    No, this is yet unknown to securitysuse.de.

    > If a long line on the first argument is gived, the
    > program gives a SIGSEGV
    > signal.
    >
    > This bug was reported to Drake Diedrich, Mantainer
    > for dqs
    > (Drake.Diedrichanu.edu.adu).
    >
    > AFFECTED:
    > SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default
    > an then it are vunerable,
    > maybe others.

    I confirm this vulnerability and that dqs has the setuid bit on the file
    /usr/bin/dsh, but the package (as a package in the clustering series) is
    not installed by default.

    The fix (to remove the suid bit) is correct. If you have selected to set
    the variable PERMISSION_SECURITY in /etc/rc.config to "secure local" in
    SuSE-7.1 (recommended for security-enhanced settings), you are not
    vulnerable. On SuSE-7.1, in addition to the chmod command below, change
    the files /etc/permissions.*, too, to reflect the removed suid bit.

    If you do not need the dqs package, simply remove it using the command
      rpm -e dqs

    Of course, we will provide update packages as soon as possible.

    > FIX:
    > Remove the SUID permission
    > |rootnetdex /root|# ls -la /usr/bin/dsh
    > -rwsr-xr-x 1 root root 502748 May 18
    > 00:36 /usr/bin/dsh
    > |rootnetdex /root|# chmod -s /usr/bin/dsh
    > |rootnetdex /root|# ls -la /usr/bin/dsh
    > -rwxr-xr-x 1 root root 502748 May 18

    Regards,
    Roman Drahtmüller,
    SuSE Security.

    -- 
     -                                                                    -
    | Roman Drahtmüller <drahtsuse.de>     "Caution: Cape does not        |
      SuSE GmbH - Security                  enable user to fly."
    | Nürnberg, Germany                     (Batman Costume warning label) |
     -                                                                    -