---

Red Hat Security Advisory: Buffer overflow in mars_nw

Buffer overflows are present in the mars_nwe package. Since the
code that contains these overflows is run as root, a local root
compromise is possible if users create carefully designed
directories and/or bindery objects.


Red Hat, Inc. Security Advisory

Synopsis: Buffer overflow in mars_nwe
Advisory ID: RHSA-1999:037-01
Issue date: 1999-09-13
Updated on:
Keywords: mars_nwe buffer
Cross references:


1. Topic:

There are several buffer overruns in the mars_nwe package.

2. Bug IDs fixed (http://developer.redhat.com/bugzilla for more
info):

5002

3. Relevant releases/architectures:

Red Hat Linux 6.0, all architectures Red Hat Linux 4.2, 5.2
Intel (mars_nwe was not built for Alpha and Sparc in previous
versions of Red Hat Linux.)

4. Obsoleted by:

5. Conflicts with:

6. RPMs required:

Red Hat Linux 4.2:

Intel:

ftp://updates.redhat.com//4.2/i386/mars-nwe-0.99pl17-0.4.2.i386.rpm

Source packages:

ftp://updates.redhat.com//4.2/SRPMS/mars-nwe-0.99pl17-0.4.2.src.rpm

Red Hat Linux 5.2:

Intel:

ftp://updates.redhat.com//5.2/i386/mars-nwe-0.99pl17-0.5.2.i386.rpm

Source packages:

ftp://updates.redhat.com//5.2/SRPMS/mars-nwe-0.99pl17-0.5.2.src.rpm

Red Hat Linux 6.0:

Intel:
href=”ftp://updates.redhat.com//6.0/i386/mars-nwe-0.99pl17-4.i386.rpm

Alpha:

href=”ftp://updates.redhat.com//6.0/alpha/mars-nwe-0.99pl17-4.alpha.rpm

Sparc:

href=”ftp://updates.redhat.com//6.0/sparc/mars-nwe-0.99pl17-4.sparc.rpm

Source packages:
href=”ftp://updates.redhat.com//6.0/SRPMS/mars-nwe-0.99pl17-4.src.rpm

7. Problem description:

Buffer overflows are present in the mars_nwe package. Since the
code that contains these overflows is run as root, a local root
compromise is possible if users create carefully designed
directories and/or bindery objects.

A sample exploit has been made available.

Thanks go to Przemyslaw Frasunek ([email protected]) and
Babcia Padlina Ltd. for noting the problem and providing a
patch.

8. Solution:

For each RPM for your particular architecture, run:

rpm -Uvh

where filename is the name of the RPM.

9. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
350882fd246344891f04d7419561eb8f  i386/mars-nwe-0.99pl17-0.4.2.i386.rpm
99134c2f507c906483320b9748b6334c  SRPMS/mars-nwe-0.99pl17-0.4.2.src.rpm

2dd6f7cf55f8ed68ba40b9d98a91adaf  i386/mars-nwe-0.99pl17-0.5.2.i386.rpm
e3d918c4e52ef051d169d7380e4d8cfe  SRPMS/mars-nwe-0.99pl17-0.5.2.src.rpm

adbd809d9de3d22fed637bcf56ede66f  i386/mars-nwe-0.99pl17-4.i386.rpm
729f888a3c1ebb87bcf04c204bf7b9dc  alpha/mars-nwe-0.99pl17-4.alpha.rpm
bf73f67c225c2edce4d7ee52b5796803  sparc/mars-nwe-0.99pl17-4.sparc.rpm
b9c61129b2e04d25c48863ededc35568  SRPMS/mars-nwe-0.99pl17-4.src.rpm

These packages are PGP signed by Red Hat Inc. for security. Our
key is available at:

http://www.redhat.com/corp/contact.html

You can verify each package with the following command:

rpm –checksig

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:

rpm –checksig –nopgp

10. References: Bugtraq ID: 617