SuSE Security Announcement: ypbind/ypclientOct 18, 2000, 20:26 (0 Talkback[s])
(Other stories by Roman Drahtmueller)
Date: Wed, 18 Oct 2000 19:22:36 +0200 (MEST)
SuSE Security Announcement Package: ypbind/ypclient Announcement-ID: SuSE-SA:2000:042 Date: Wednesday, October 18th, 2000 19:15 MEST Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: possible remote root compromise Severity (1-10): 8 SuSE default package: yes (starting with SuSE-6.4) Other affected systems: Linux systems using this NIS implementation Content of this advisory: 1) security vulnerability resolved: ypbind/ypclient problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade information
Security problems have been found in the client code of the NIS (Network Information System, aka yp - yellow pages) subsytem. SuSE distributions before SuSE-6.1 came with the original ypbind program, SuSE-6.2 and later included the ypbind-mt NIS client implementation. ypbind-3.3 (the earlier version) has a format string parsing bug if it is run in debug mode, and (discovered by Olaf Kirch ) leaks file descriptors under certain circumstances which can lead to a DoS. In addition, ypbind-3.3 may suffer from buffer overflows.
ypbind-mt, the software shipped with SuSE distributions starting with SuSE-6.2, suffers from a single format string parsing bug. Some of these bugs could allow remote attackers to execute arbitrary code as root.
During code audit and testing it turned out that the ypbind-3.x software in the SuSE-6.1 distribution and earlier needs a major overhaul to make it work both reliable and secure with respect to errors in the code. Basically, this is what happened when Thorsten Kukuk wrote ypbind-mt from scratch in 1998. For the same reason, we are currently unable to produce a working security update package which fixes the known and yet unknown (there may be more) problems in the ypclient packages in the SuSE-6.1 distribution and older.
The only efficient workaround for the SuSE-6.1 distribution and older against these bugs for an untrusted, hostile environment is to upgrade to a new distribution base (SuSE-7.0 is recommended) and use the ypclient update packages for this distribution.
As of today, there is no exploit known to exist in the wild.
For SuSE-6.2 and later distributions we provide update packages as listed below. We recommend to download and install these packages on systems that are NIS/yp clients.
Please note that the sources for the ypclient package are contained within the ypserv source rpm.
Download the update package from locations described below and install the package with the command `rpm -Uhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below.
i386 Intel Platform:
SuSE-6.1 and older:
AXP Alpha Platform:
PPC Power PC Platform:
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
Another security announcement is following this advisory.
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may subscribe:
SuSE's security contact is firstname.lastname@example.org.
- - | Roman Drahtmüller email@example.com // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -