[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security problem



I dont know about it, but the following text might be of an interest to
some:

              __________________________________________________________
> 
>                        The U.S. Department of Energy
>                     Computer Incident Advisory Capability
>                            ___  __ __    _     ___
>                           /       |     /_\   /
>                           \___  __|__  /   \  \___
>              __________________________________________________________
> 
>                              INFORMATION BULLETIN
> 
>                   Debian Linux "Super" package Buffer Overflow
> 
> February 16, 1999 19:00 GMT                                       Number
> J-031
>
__________________________________________________________________________
> ____
> PROBLEM:       Internet Security Systems (ISS) X-Force has discovered a 
>                vulnerability in the system administration utility,
> "Super". 
> PLATFORM:      All versions of Super distributed with Debian Linux. Can
be
> 
>                installed and configured for many Unix variants. 
> DAMAGE:        If exploited, this vulnerability could lead to a root 
>                compromise. 
> SOLUTION:      Until Super version 3.11.7 is available, apply the fix
> listed 
>                below. 
>
__________________________________________________________________________
> ____
> VULNERABILITY  Risk is high since this vulnerability could lead to a
root 
> ASSESSMENT:    compromise. 
>
__________________________________________________________________________
> ____
> 
> [  Start ISS Security Advisory  ]
> 
> ISS Security Advisory
> February 15, 1999
> 
> Buffer Overflow in "Super" package in Debian Linux
> 
> 
> Synopsis:
> 
> Internet Security Systems (ISS) X-Force has discovered a vulnerability
in
> the system administration utility, "Super".  Super is used by 
> administrators to allow certain users to execute commands with root
> privileges.  The vulnerability is distributed with Debian Linux.  It may
> allow local attackers to compromise root access.  Super is a GNU
> copylefted package that is distributed with recent Debian Linux
> distributions, but it can be installed and configured for many Unix
> variants.  
> 
> 
> Affected versions:
> 
> ISS X-Force has determined that version 3.9.6 through version 3.11.6 are
> vulnerable.  All versions of Super distributed with Debian Linux are
> vulnerable.  Execute the following command to determine version
> information:
> 
> # /usr/bin/super -V
> 
> 
> Fix Information:
> 
> The main distribution point for the Super package:
> ftp.ucolick.org:/pub/users/will/
> 
> Mirror:
> ftp.onshore.com:/pub/mirror/software/super
> 
> super-3.11.7.tar.gz   full source code for 3.11.7
> super-3.11.6.patch1   patches overflow in 3.11.6
> super-3.11.6-3.11.7   patch to change 3.11.6 to 3.11.7 
> 
> Please refer to these locations for fixes which will be included in
> Super version 3.11.7.
> 
> Description:
> 
> Super is a utility that allows authorized users to execute commands with
> root privileges.  It is intended to be an alternate to setuid scripts,
> which are inherently dangerous.  A buffer overflow exists in Super that
> may allow attackers to take advantage of its setuid configuration to
gain
> root access.
> 
> 
> Recommended Action:
> 
> Version 3.11.7 should be installed as soon as it is available.
> Administrators should take care to disable setuid root utilities that
are
> not used by regular users.  To disable Super permanently, execute the
> following command as root to disable the setuid bit:
> 
> # chmod 755 /usr/bin/super
> 
> __________
> 
> Copyright (c) 1999 by Internet Security Systems, Inc.
> 
> Permission is hereby granted for the redistribution of this alert
> electronically.  It is not to be edited in any way without express
> consent of X-Force.  If you wish to reprint the whole or any part of
this
> alert in any other medium excluding electronic medium, please e-mail
> xforce@iss.net for permission.
> 
> Disclaimer:
> 
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
> are NO warranties with regard to this information. In no event shall the
> author be liable for any damages whatsoever arising out of or in
> connection with the use or spread of this information. Any use of this
> information is at the user's own risk.