dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Caldera Systems Security Advisory: buffer overflow in /bin/mail

Mar 02, 2001, 23:23 (0 Talkback[s])

Date: Fri, 2 Mar 2001 11:58:48 -0700
From: Caldera Support Info sup-info@LOCUTUS4.CALDERASYSTEMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Update: buffer overflow in /bin/mail CSSA-2001-010.0


                   Caldera Systems, Inc.  Security Advisory

Subject:                buffer overflow in /bin/mail
Advisory number:        CSSA-2001-010.0
Issue date:             2001 March, 3
Cross reference:

1. Problem Description

There is a buffer overflow in /bin/mail which allows a local attacker to read, modify and delete mails of other users on the system.

2. Vulnerable Versions

   System                       Package

   OpenLinux 2.3                All packages previous to
                                mailx-8.1.1-12OL

   OpenLinux eServer 2.3.1      All packages previous to
   and OpenLinux eBuilder       mailx-8.1.1-12

   OpenLinux eDesktop 2.4       All packages previous to
                                mailx-8.1.1-12
3. Solution

Workaround

none

The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

4.2 Verification

abc1ee0ce4d52ba1dd7059167af66cdc RPMS/mailx-8.1.1-12OL.i386.rpm
d88d071f083e7548837fb07aaf3e431d SRPMS/mailx-8.1.1-12OL.src.rpm
4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv mailx*.i386.rpm

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

eb76e3238d1832ce648c8fe8abcdeb53 RPMS/mailx-8.1.1-12.i386.rpm
6e0e4ae06009c54bee2385353b4d3d5c SRPMS/mailx-8.1.1-12.src.rpm
5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh mailx*i386.rpm

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

f99f489b3e748147d8ccfa9377158b55 RPMS/mailx-8.1.1-12.i386.rpm
6e0e4ae06009c54bee2385353b4d3d5c SRPMS/mailx-8.1.1-12.src.rpm
6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh mailx*i386.rpm

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

This security fix closes Caldera's internal Problem Report 9327.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux.