Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Caldera Security Advisory: uucp argument handling problems

Sep 11, 2001, 06:16 (0 Talkback[s])
Date: Mon, 10 Sep 2001 11:06:10 -0600
From: Support Info 
Subject: Security Update [CSSA-033.0]Linux - uucp argument handling problems


____________________________________________________________________________
                   Caldera International, Inc.  Security Advisory

Subject:                Linux - uucp argument handling problems
Advisory number:        CSSA-2001-033.0
Issue date:             2001, September 07
Cross reference:
____________________________________________________________________________


1. Problem Description

   There is a argument handling problem which allows a local attacker to
   gain access to the uucp group. Using this access the attacker could
   use badly written scripts to gain access to the root account.


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                 All packages previous to      
                                 uucp-1.06.2-8OL               
   
   OpenLinux eServer 2.3.1       All packages previous to      
   and OpenLinux eBuilder        uucp-1.06.2-8OL               
   
   OpenLinux eDesktop 2.4        All packages previous to      
                                 uucp-1.06.2-8OL               
   
   OpenLinux Server 3.1          All packages previous to      
                                 uucp-1.06.2-8                 
   
   OpenLinux Workstation 3.1     All packages previous to      
                                 uucp-1.06.2-8                 
   
3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

    4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS

   4.2 Verification

       dd0f6e46374d62c349bf7a1f618a23a0  RPMS/uucp-1.06.2-8OL.i386.rpm
       33b96ff362a261b87f73b2377fa20a5d  RPMS/uucp-doc-1.06.2-8OL.i386.rpm
       e602cfba314e2519e2762bfecac9024c  SRPMS/uucp-1.06.2-8OL.src.rpm
       

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh uucp-1.06.2-8OL.i386.rpm/ \
              uucp-doc-1.06.2-8OL.i386.rpm/
         

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

    5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       ee5c7f9bf1887d3c34f8c232b70a84b7  RPMS/uucp-1.06.2-8OL.i386.rpm
       26f7f712e318c63a5deea1474a58e06f  RPMS/uucp-doc-1.06.2-8OL.i386.rpm
       e602cfba314e2519e2762bfecac9024c  SRPMS/uucp-1.06.2-8OL.src.rpm
       

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh uucp-1.06.2-8OL.i386.rpm/ \
              uucp-doc-1.06.2-8OL.i386.rpm/
         

6. OpenLinux eDesktop 2.4

    6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       1f00b87ce48e72d8a4bd754123d554d4  RPMS/uucp-1.06.2-8OL.i386.rpm
       c00296b93945c8778c46252e975818d2  RPMS/uucp-doc-1.06.2-8OL.i386.rpm
       e602cfba314e2519e2762bfecac9024c  SRPMS/uucp-1.06.2-8OL.src.rpm
       

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh uucp-1.06.2-8OL.i386.rpm \
              uucp-doc-1.06.2-8OL.i386.rpm
         

7. OpenLinux 3.1 Server

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   7.2 Verification

       4e3b47bc507d48bf9396e70c806d9a8e  RPMS/uucp-1.06.2-8.i386.rpm
       41cabb92a4eb86310d01c6a6b2f7453b  RPMS/uucp-doc-html-1.06.2-8.i386.rpm
       d06d2cd63b739895ebf82fa361266f16  RPMS/uucp-doc-ps-1.06.2-8.i386.rpm
       6f3e6037bd3839380f9a4104e55a9a73  SRPMS/uucp-1.06.2-8.src.rpm
       

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh uucp-1.06.2-8.i386.rpm \
              uucp-doc-html-1.06.2-8.i386.rpm \
              uucp-doc-ps-1.06.2-8.i386.rpm
         

8. OpenLinux 3.1 Workstation

    8.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

   8.2 Verification

       4e3b47bc507d48bf9396e70c806d9a8e  RPMS/uucp-1.06.2-8.i386.rpm
       41cabb92a4eb86310d01c6a6b2f7453b  RPMS/uucp-doc-html-1.06.2-8.i386.rpm
       d06d2cd63b739895ebf82fa361266f16  RPMS/uucp-doc-ps-1.06.2-8.i386.rpm
       6f3e6037bd3839380f9a4104e55a9a73  SRPMS/uucp-1.06.2-8.src.rpm
       

   8.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh uucp-1.06.2-8.i386.rpm \
              uucp-doc-html-1.06.2-8.i386.rpm \
              uucp-doc-ps-1.06.2-8.i386.rpm
         

9. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10430.


10. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.

11. Acknowledgements

   Caldera International wishes to thank Zen Parse for reporting this
   problem.
____________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7mLNh18sy83A/qfwRAjufAJ9EDB62Ytxhmm7btRwdaBqFKTefhgCeJLeG
N+UBsH+SqoY7LRBr7hIRE48=
=ukQY
-----END PGP SIGNATURE-----