[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security problem
I dont know about it, but the following text might be of an interest to
some:
__________________________________________________________
>
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> __________________________________________________________
>
> INFORMATION BULLETIN
>
> Debian Linux "Super" package Buffer Overflow
>
> February 16, 1999 19:00 GMT Number
> J-031
>
__________________________________________________________________________
> ____
> PROBLEM: Internet Security Systems (ISS) X-Force has discovered a
> vulnerability in the system administration utility,
> "Super".
> PLATFORM: All versions of Super distributed with Debian Linux. Can
be
>
> installed and configured for many Unix variants.
> DAMAGE: If exploited, this vulnerability could lead to a root
> compromise.
> SOLUTION: Until Super version 3.11.7 is available, apply the fix
> listed
> below.
>
__________________________________________________________________________
> ____
> VULNERABILITY Risk is high since this vulnerability could lead to a
root
> ASSESSMENT: compromise.
>
__________________________________________________________________________
> ____
>
> [ Start ISS Security Advisory ]
>
> ISS Security Advisory
> February 15, 1999
>
> Buffer Overflow in "Super" package in Debian Linux
>
>
> Synopsis:
>
> Internet Security Systems (ISS) X-Force has discovered a vulnerability
in
> the system administration utility, "Super". Super is used by
> administrators to allow certain users to execute commands with root
> privileges. The vulnerability is distributed with Debian Linux. It may
> allow local attackers to compromise root access. Super is a GNU
> copylefted package that is distributed with recent Debian Linux
> distributions, but it can be installed and configured for many Unix
> variants.
>
>
> Affected versions:
>
> ISS X-Force has determined that version 3.9.6 through version 3.11.6 are
> vulnerable. All versions of Super distributed with Debian Linux are
> vulnerable. Execute the following command to determine version
> information:
>
> # /usr/bin/super -V
>
>
> Fix Information:
>
> The main distribution point for the Super package:
> ftp.ucolick.org:/pub/users/will/
>
> Mirror:
> ftp.onshore.com:/pub/mirror/software/super
>
> super-3.11.7.tar.gz full source code for 3.11.7
> super-3.11.6.patch1 patches overflow in 3.11.6
> super-3.11.6-3.11.7 patch to change 3.11.6 to 3.11.7
>
> Please refer to these locations for fixes which will be included in
> Super version 3.11.7.
>
> Description:
>
> Super is a utility that allows authorized users to execute commands with
> root privileges. It is intended to be an alternate to setuid scripts,
> which are inherently dangerous. A buffer overflow exists in Super that
> may allow attackers to take advantage of its setuid configuration to
gain
> root access.
>
>
> Recommended Action:
>
> Version 3.11.7 should be installed as soon as it is available.
> Administrators should take care to disable setuid root utilities that
are
> not used by regular users. To disable Super permanently, execute the
> following command as root to disable the setuid bit:
>
> # chmod 755 /usr/bin/super
>
> __________
>
> Copyright (c) 1999 by Internet Security Systems, Inc.
>
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent of X-Force. If you wish to reprint the whole or any part of
this
> alert in any other medium excluding electronic medium, please e-mail
> xforce@iss.net for permission.
>
> Disclaimer:
>
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
> are NO warranties with regard to this information. In no event shall the
> author be liable for any damages whatsoever arising out of or in
> connection with the use or spread of this information. Any use of this
> information is at the user's own risk.