Linux Today: Linux News On Internet Time.

SuSE Security Announcement: ncurses

Oct 27, 2000, 20:19 (1 Talkback[s])

Date: Fri, 27 Oct 2000 17:59:46 +0200 (MEST)
From: Roman Drahtmueller draht@suse.de
To: suse-security-announce@suse.de
Subject: [suse-security-announce] SuSE Security Announcement: ncurses (SuSE-SA:2000:043)

                        SuSE Security Announcement

        Package:                ncurses
        Announcement-ID:        SuSE-SA:2000:043
        Date:                   Friday, October 27th, 2000 17:00 MEST
        Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
        Vulnerability Type:     local root compromise
        Severity (1-10):        5
        SuSE default package:   yes
        Other affected systems: systems with suid binaries linked against

    Content of this advisory:
        1) security vulnerability resolved: ncurses
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

1) problem description, brief discussion, solution, upgrade information

The ncurses library is used by many text/console based applications such as mail user agents, ftp clients and other command line utilities. A vulnerability has been found by Jouko Pynnönen jouko@solutions.fi in the screen handling functions: Insufficient boundary checking leads to a buffer overflow if a user supplies a specially drafted terminfo database file. If an ncurses-linked binary is installed setuid root, it is possible for a local attacker to exploit this hole and gain elevated privileges.

There are several ways to fix the problem associated with the library. One of them would be to fix the library. However, it is not considered unlikely that another problem (similar to the one that has just been found) will be revealed in the future. Therefore, it is advisable to not link setuid applications against the ncurses library. As a permanent and cleaner fix, we do not provide update packages for the ncurses library, but we suggest to change the modes of the relevant setuid applications. There are three setuid-root applications contained in SuSE-distributions:
xaos (suid root for permissions to use SVGAlib on the Linux console) screen (does not need root privs in the latest version) cda, contained in the xmcd program, a command line CD player. It might need elevated privileges to access the cdrom device file.

The script attached to the email with this announcement changes the modes of files in the SuSE distribution that match both criteria necessary to exploit the buffer overflow in the ncurses library:
1) the binary is setuid root,
2) it is linked against libncurses.
Please save the attachment under the name "perms-ncurses.sh" and execute it using the command `bash ./perms-ncurses.sh´. It does:
a) Check your version of the screen program installed.
b) Changes /etc/permissions and /etc/permissions.easy to reflect
the mode changes. The original files are saved, see /etc/permissions.* . (note: The chkstat program is being executed by SuSEconfig, the SuSE configuration script, to set the modes of files according to the entries in the permission files. The files being used are /etc/permissions, /etc/permissions.local and /etc/permissions.easy unless the administrator changed the settings in /etc/rc.config .)
c) Changes the file modes by hand by executing
chmod 755 /usr/X11R6/lib/X11/xmcd/bin-Linux-$ARCH/cda \ /usr/bin/screen /usr/bin/xaos

You can download the script from the following location:


2) Pending vulnerabilities in SuSE Distributions and Workarounds:

A summary about ongoing issues will be included in the next security announcement.

3) standard appendix:

SuSE runs two security mailing lists to which any interested party may subscribe:

- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list. To subscribe, send an email to suse-security-subscribe@suse.com.

- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list. To subscribe, send an email to suse-security-announce-subscribe@suse.com.

For general information or the frequently asked questions (faq) send mail to:
suse-security-info@suse.com or
suse-security-faq@suse.com respectively.

SuSE's security contact is security@suse.com.

Roman Drahtmüller.
- - --

 -                                                                      -
| Roman Drahtmüller        draht@suse.de //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -