Linux Today: Linux News On Internet Time.

More on LinuxToday

SuSE Security Announcement: glibc/shlibs, in.ftpd

Dec 26, 2001, 18:09 (0 Talkback[s])
SuSE Security Announcement

        Package:                glibc/shlibs, in.ftpd
        Announcement-ID:        SuSE-SA:2001:046
        Date:                   Monday, Dec 24th 2001 19:00 MET
        Affected SuSE versions: (6.3), 6.4, 7.0, 7.1, 7.2, 7.3
        Vulnerability Type:     remote privilege escalation
        Severity (1-10):        8
        SuSE default package:   yes
        Other affected systems: Most Linux systems

    Content of this advisory:
        1) security vulnerability resolved: glibc/shlibs
           problem description, discussion, solution and upgrade
 information 2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)


1)  problem description, brief discussion, solution, upgrade

    This security announcement obsoletes SuSE-SA:2001:001 about glibc

    The file globbing (matching filenames against patterns such as
 "*.bak") routines in the glibc exhibits an error that results in a
 heap corruption and that may allow a remote attacker to execute
 arbitrary commands from processes that take globbing strings from
 user input.
    Tom Parker, Global InterSec LLC, addressed SuSE Security and
 illustrated an attack scenario against the BSD-derived ftp daemon
 that is installed as /usr/sbin/in.ftpd in SuSE Linux distributions.
 The said in.ftpd should not be confused with the Washington
 University ftp daemon (wu-ftpd) that comes installed as
 /usr/sbin/wu.ftpd in SuSE Linux and uses its own globbing functions.

    Since the attack against in.ftpd is based on a heap corruption in
 glibc, the proper solution for the error is to exchange the
 responsible code in the glibc globbing functions. It should be
 expected that other network service daemons that accept
 user-supplied globbing strings such as rsyncd can be exploited with
 this glibc globbing error. There is no satisfactory workaround
 against the problem other than updating the glibc libraries with a
 fixed version. We provide update packages for this purpose.

    Users of the SuSE Linux 6.3 distribution should upgrade their
 systems to a newer product since security update support for SuSE
 Linux 6.3 has been discontinued two years after the release.

    Notes, Special installation instructions:

      * If you use YOU (Yast2 Online Update), the necessary update
 packages will be selected automatically. Please consider reading the
 PRECAUTIONS and the AFTERCARE paragraph below. A standalone desktop
 installation should not face any problems with the update as long as
 the system is not loaded during the update process.

      * The glibc package consists of one source RPM package and
 multiple binary RPM (sub-) packages. In order to resolve the errors
 in the globbing functions, the source RPM package as well as the
 documentation subpackages do not need to be installed. In fact, you
 only need to install the updates for packages that you have
 installed already on your system.
        The different subpackages contain:
         ++ shared libraries
          + static libraries and header files
          + profiling and debugging versions of glibc
          - timezone description files (package timezone)
          - internationalization files (i18n)
          - two documentation packages
        The packages marked with "+" are necessary to update if they
 are installed on your system. The source RPM does not need to be
 installed unless you want to compile your own glibc binaries.

      * The names of both the source RPM as well as the binary RPM
 (sub-) packages have changed between different SuSE Linux
 distributions. Overview:
        dist    | source-RPM | shared libs | static libs,header|
--- 6.4,7.0     libc        shlibs          libc             libd
 7.1,7.2,7.3 glibc       glibc           glibc-devel     

        Find out which of the four packages are installed on your
 system according to the package names in the table. Use the command
 rpm -q name_of_package
        to query the package database for each name.
        If you have your package list, download the packages that you
 need from the URLs as listed below. Verify their integrity and
 authenticity following the guidelines as described in section 3) of
 this security announcement.

        The shared libraries package of the glibc is the most
 sensitive part of a running Linux system, and modifications to it
 should be handled with special care. During the update of the
 shlibs/glibc package, runtime-linking the shared libraries is likely
 to fail for processes that execute a new binary with the execve(2)
 system call. Therefore, we recommend to bring a system to single
 user mode ("init S") to perform the package update. If this is not
 applicable for operational reasons, a system receiving the update
 should be kept as quiet as possible (no shell scripts of any kind,
 no cron jobs, no incoming email).

      * Update the shared libraries package first using the command
            rpm -Uhv <name-of-package.rpm>
        The execution of this command must not be interrupted!
        Then use the same command ("rpm -Uhv ...") to update the
 other packages. The update of these packages is not critical.

        After performing the update, you should run the following
 command on your system:
        ldconfig will rebuild the runtime linker cache. If you use
 YOU (Yast2 Online Update), the ldconfig command will be executed
 automatically at the end of the update.

        The shared libraries that were installed on the system before
 the update have been removed from the filesystem, but they are still
 in use by the running applications. Therefore, the diskspace as well
 as the memory will not be freed until the last process that uses
 these files exits. We recommend to reboot the system to workaround
 this problem.

    i386 Intel Platform:

    SuSE-7.3 ab4f2c0a14df2fc904a77e3093ab64c1 30fecdf4a05cdbb563f89544d83d3832 170136831b255f9fb4f7626bb0db118c
    source rpm: 0e9042c4513fdab17574fcfa00d85a49

    SuSE-7.2 7f6986a143c394217e8c25d7a337213b ec20c83a27d82909bf244260ce7a5918 39663b28aa3460b3496543f1fc38bbb8
    source rpm: cdb94c3f69df860a331fcd767464d958

 bfe1b48b0f74b8ebe4887de7f433581d 84e3b7aef3d13dda8e938a2d0be2a6a8 b4260429e50687c3ec45c330f565aa3d
    source rpm:

    SuSE-7.0 c5e373b55d91ce4611548cace59015f1 94e0ef7bcb2b1d12e35b2ecf4106e2a3 27b725ec3b2f47609222dabe34798d6e
    source rpm: be466007d22952ae08809e4a13cf7f74

    SuSE-6.4 9539d8a62365de6007fc6644ad41cfa6 526f3261e684ecc94f7a3e5447cb47fa ac0d6067cff50b0b63ca3905a1c5728f
    source rpm: 0a0332bac56a42898b6e38caeaf8898b

    Sparc Platform:

    SuSE-7.3 ec7a28d3ecd776b855f658bfb5c5c906 c1b948813f902d357733bc05a844c991 5c97f462e33a4d95ba740b82f57dde0c
    source rpm: 1346299f187ceeaef241dbf45ff49f51

    SuSE-7.1 7562d1fce096b8b28205f1d35d7c127a 49930f964d3e0269a1cd8d94c1989bc0 0f5e8c3b667e0809213b3f54f1e50b13
    source rpm: c836663dd27b4ff476a12b1a8c0c9f90

    SuSE-7.0 f2af7ef92554c60bd5a872de208d8b6f 7bdb705c7ebd03f4adce09a6809892c2 2b3306cb460f478db3429e23f823b995
    source rpm: a64566e9fd63300019cfeef8f29f4818

    AXP Alpha Platform:

 6c859b49dfd1bfcb6a3c641b684d043b 650adc9694f047966d66ced86a4242b6 c6b9e63c4cbfeb4319259ef69588d8ed
    source rpm:

    SuSE-7.0 28e5a26227efba257f0c5aa81ecff74f 64ccdf133939fca4f47082c5092b348f 471b1a63ebdfcc9df3cf71423ac51b78
    source rpm: 08e3ef5b96cdd2a647bfd4db7a2cb55f

    SuSE-6.4 798f75dbfb95b6917f79ed26c48de2fe 0851f8afd4cf6316263128f406af1df3 95b0e06e0328d3a4422b9139c5955cc5
    source rpm: d52cf0e58f6f8f9ef0749b2c0fca534a

    PPC Power PC Platform:

    The update packages are delayed and are currently being built.
 They will be available shortly at the same locations as the 7.1
 packages, with the 7.3 path segment, respectively.

 298ad3b4eaf87f3656e096d5eb4f4a4d 6f31f5f7b055485f65e7c81ebf8f9d64 26d70564073e77a610562acf5ae27f1f
    source rpm:

    SuSE-7.0 472cb2d66abdfb2a523ba57e15613f04
    source rpm: b7b73eeb4c091302fff48284f6894d9b

    The update packages are delayed and are currently being built.
 They will be available shortly at the same locations as the 7.0
 packages, with the 6.4 path segment, respectively.


2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

    - /bin/login vulnerabilities
    A buffer overflow vulnerability has been reported for System V
 derived implementations of the login program while it copies
 environment variables from the login prompt to the user's future
 environment. SuSE Linux distributions are unaffected by this
 problem. The login programs in SuSE Linux distributions before and
 including SuSE Linux 6.1 contain the environment copying feature.
 Versions shipped after (and including) SuSE Linux 6.2 use PAM
 (Pluggable Authentication Module) routines for logini- and password
 prompting. The PAM routines do not support environment passing.


3)  standard appendix: authenticity verification, additional

  - Package authenticity verification:

    SuSE update packages are available on many mirror ftp servers all
 over the world. While this service is being considered valuable and
 important to the free and open source software community, many users
 wish to be sure about the origin of the package and its content
 before installing the package. There are two verification methods
 that can be used independently from each other to prove the
 authenticity of a downloaded file or rpm package:
    1) md5sums as provided in the (cryptographically signed)
 announcement. 2) using the internal gpg signatures of the rpm

    1) execute the command
        md5sum <name-of-the-file.rpm>
       after you downloaded the file from a SuSE ftp server or its
 mirrors. Then, compare the resulting md5sum with the one that is
 listed in the announcement. Since the announcement containing the
 checksums is cryptographically signed (usually using the key, the checksums show proof of the authenticity of
 the package. We disrecommend to subscribe to security lists which
 cause the email message containing the announcement to be modified
 so that the signature does not match after transport through the
 mailing list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being
 rebuilt and a new version of a package is published on the ftp
 server, all md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the
 authenticity of an rpm package. Use the command
        rpm -v --checksig <file.rpm>
       to verify the signature of the package, where <file.rpm> is
 the filename of the rpm package that you have downloaded. Of course,
 package authenticity verification can only target an uninstalled rpm
 package file.
        a) gpg is installed
        b) The package is signed using a certain key. The public part
 of this key must be installed by the gpg program in the directory
 ~/.gnupg/ under the user's home directory who performs the signature
 verification (usually root). You can import the key that is used by
 SuSE in rpm packages for SuSE Linux by saving this announcement to a
 file ("announcement.txt") and running the command (do "su -" to be
            gpg --batch; gpg < announcement.txt | gpg --import
           SuSE Linux distributions version 7.1 and thereafter
 install the key "" upon installation or upgrade,
 provided that the package gpg is installed. The file containing the
 public key is placed at the toplevel directory of the first CD
 (pubring.gpg) and at .

  - SuSE runs two security mailing lists to which any interested
 party may subscribe:
        -   general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
        -   SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to

    For general information or the frequently asked questions (faq)
    send mail to:
        <> or
        <> respectively.

= SuSE's security contact is <> or
 <>. The <> public key is listed

    The information in this advisory may be distributed or
 reproduced, provided that the advisory is not modified in any way.
 In particular, it is desired that the cleartext signature shows
 proof of the authenticity of the text.
    SuSE GmbH makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see