---

Red Hat Security Advisory: Buffer overflow problem in the inews program

“inews is a program used to inject new postings into the news
system. It is used by many news reading programs and scripts. The
default installation is with inews setgid to the news group and
world executable. It’s possible that exploiting the buffer overflow
could give the attacker news group privileges, which could possibly
be extended to root access.”

Red Hat Security Advisory

Package: inews
Synopsis: Buffer overflow problem in the inews program
Advisory ID: RHSA-1999:033-01
Issue Date: 1999-09-01
Updated on:
Keywords: inn inews buffer overflow


1. Topic:
New packages for INN are available for all Red Hat Linux platforms.
This version of the package fixes a buffer overrun problem
discovered in the inews program, which is part of the INN
distribution. No active exploits of the problem have been found so
far.

2. Bug IDs fixed:
N/A

3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures

4. Obsoleted by:
None

5. Conflicts with:
None

6. RPMs required:

Intel:

ftp://updates.redhat.com/6.0/i386/

inn-2.2.1-1.i386.rpm
inn-devel-2.2.1-1.i386.rpm

Alpha:

ftp://updates.redhat.com/6.0/alpha

inn-2.2.1-1.alpha.rpm
inn-devel-2.2.1-1.alpha.rpm

SPARC:

ftp://updates.redhat.com/6.0/sparc

inn-2.2.1-1.sparc.rpm
inn-devel-2.2.1-1.sparc.rpm

Source:

ftp://updates.redhat.com/6.0/SRPMS

inn-2.2.1-1.src.rpm

Architecture neutral:

ftp://updates.redhat.com/6.0/noarch/

7. Problem description:
INN versions 2.2 and earlier have a buffer overflow-related
security condition in the inews program.

inews is a program used to inject new postings into the news
system. It is used by many news reading programs and scripts. The
default installation is with inews setgid to the news group and
world executable. It’s possible that exploiting the buffer overflow
could give the attacker news group privileges, which could possibly
be extended to root access.

Note that this chain of elevation of privileges is theoretical
rather than actual; the ability of an attacker to do this indicates
bugs in other portions of INN. However, given the degree to which
INN trusts the news user and news group, it’s not unlikely that
such bugs exist.

No case of this being exploited has been shown yet.

If you run a news server with no local readers (i.e. all your
clients are remote) then you can remove the setgid-bit on
inews.

chmod 0550 inews

The rnews program, used to feed news via uucp, is setuid to the
uucp user. No buffer overflow problems have been found in rnews,
but if you don’t run uucp on your machine, then we recommend
disabling the setuid bit on rnews:

chown news rnews chgrp news rnews chmod 0550 rnews

Red Hat Linux releases 4.2 and 5.2 shipped with a version of INN
that is no longer being maintained. We have back-ported the latest
2.2.1 INN version to those older Red Hat Linux releases. The new
package will not be an exact drop in for the older packages, so it
is advisable to save you config files first before starting the
migration to the new code base. Alternatively you can implement
some of the solutions described above if you do not want to update
to a new version of INN.

Also, on Red Hat Linux 4.2 inn will require a new package named
cleanfeed that is also shipped as part of this advisory.

Thanks go to the members of the BUGTRAQ mailing list for
bringing this issue to our attention.

8. Solution:
For each RPM for your particular architecture, run:

rpm -Uvh filename

where filename is the name of the RPM.

9. Verification:

   MD5 sum                           Package Name

  71dfbbfaddc1596f1e6357562691e3e5  i386/inn-2.2.1-1.i386.rpm
  2201608f6d72d96041998349b401061c  i386/inn-devel-2.2.1-1.i386.rpm
  5dad0596a6db0beace1441484229cb35  alpha/inn-2.2.1-1.alpha.rpm
  fbc0789c46f953dffdd3503551f2a293  alpha/inn-devel-2.2.1-1.alpha.rpm
  b8d18a074b1e703e386a9b514e099653  sparc/inn-2.2.1-1.sparc.rpm
  b539e8f684279b4e607d475d5225844d  sparc/inn-devel-2.2.1-1.sparc.rpm
  7c58191dc271e462e59e97e58735e52f  SRPMS/inn-2.2.1-1.src.rpm

These packages are also PGP signed by Red Hat Inc. for security.
Our key is available at:
http://www.redhat.com/corp/contact.html

You can verify each package with the following command:

rpm –checksig filename

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:

rpm –checksig –nopgp filename

10. References: