Date: Wed, 18 Oct 2000 19:22:36 +0200 (MEST)
From: Roman Drahtmueller draht@suse.de
To: suse-security-announce@suse.de
Subject: [suse-security-announce] SuSE Security Announcement:
ypbind/ypclient (SuSE-SA:2000:042)
SuSE Security Announcement
Package: ypbind/ypclient
Announcement-ID: SuSE-SA:2000:042
Date: Wednesday, October 18th, 2000 19:15 MEST
Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
Vulnerability Type: possible remote root compromise
Severity (1-10): 8
SuSE default package: yes (starting with SuSE-6.4)
Other affected systems: Linux systems using this NIS implementation
Content of this advisory:
1) security vulnerability resolved: ypbind/ypclient
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade
information
Security problems have been found in the client code of the NIS
(Network Information System, aka yp – yellow pages) subsytem. SuSE
distributions before SuSE-6.1 came with the original ypbind
program, SuSE-6.2 and later included the ypbind-mt NIS client
implementation. ypbind-3.3 (the earlier version) has a format
string parsing bug if it is run in debug mode, and (discovered by
Olaf Kirch ) leaks file descriptors under certain circumstances
which can lead to a DoS. In addition, ypbind-3.3 may suffer from
buffer overflows.
ypbind-mt, the software shipped with SuSE distributions starting
with SuSE-6.2, suffers from a single format string parsing bug.
Some of these bugs could allow remote attackers to execute
arbitrary code as root.
During code audit and testing it turned out that the ypbind-3.x
software in the SuSE-6.1 distribution and earlier needs a major
overhaul to make it work both reliable and secure with respect to
errors in the code. Basically, this is what happened when Thorsten
Kukuk wrote ypbind-mt from scratch in 1998. For the same reason, we
are currently unable to produce a working security update package
which fixes the known and yet unknown (there may be more) problems
in the ypclient packages in the SuSE-6.1 distribution and
older.
The only efficient workaround for the SuSE-6.1 distribution and
older against these bugs for an untrusted, hostile environment is
to upgrade to a new distribution base (SuSE-7.0 is recommended) and
use the ypclient update packages for this distribution.
As of today, there is no exploit known to exist in the wild.
For SuSE-6.2 and later distributions we provide update packages
as listed below. We recommend to download and install these
packages on systems that are NIS/yp clients.
Please note that the sources for the ypclient package are
contained within the ypserv source rpm.
Download the update package from locations described below and
install the package with the command `rpm -Uhv file.rpm’. The
md5sum for each file is in the line below. You can verify the
integrity of the rpm files using the command `rpm –checksig
–nogpg file.rpm’, independently from the md5 signatures below.
i386 Intel Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/ypclient-3.5-89.i386.rpm
76e4e7f60791db16c5e36fb5dbf60b65
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/ypserv-1.3.11-89.src.rpm
e2b1dccaec003f54e4ebbdef84d99a10
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/ypclient-3.4-95.i386.rpm
e485ea27264fb9c4f890cdf7605ffa30
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/ypserv-1.3.11-95.src.rpm
c61c6df2ba1fef2369406b2dcbcd25f1
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/ypclient-3.4-95.i386.rpm
c1a10cc0a3f72242b136be921f9ae0c1
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/ypserv-1.3.11-95.src.rpm
6f47a880d5e7175dc2b5ff0116d7de4d
SuSE-6.2
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/ypclient-3.4-95.i386.rpm
9050e63cb9f7fac4997968760292a6f1
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/ypserv-1.3.11-95.src.rpm
7ecfaffd8cdb68f73adfd1d6fd27ed39
SuSE-6.1 and older:
Please see the problem description above.
Sparc Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/ypclient-3.5-89.sparc.rpm
1a38d25c8647f010e2a9879f28de4adf
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/ypserv-1.3.11-89.src.rpm
6ba9200e49210f98ca845107b034b981
AXP Alpha Platform:
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/ypclient-3.4-95.alpha.rpm
6aea95ca27245eb3df72da7596af3321
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/ypserv-1.3.11-95.src.rpm
a4bf635b9ee4bdefc29b7e6e1cf0cf41
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/ypclient-3.4-95.alpha.rpm
b68f8690b7dc554ac9098c83f9c633cd
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/ypserv-1.3.11-95.src.rpm
ef0a026d078847d0958118bbbc46b99e
PPC Power PC Platform:
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/ypclient-3.4-95.ppc.rpm
26080b1443a3daa1de64c876ae36e6f2
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/ypserv-1.3.11-95.src.rpm
4f0904d73c98c8b9737d5ac34b7a4dd5
2) Pending vulnerabilities in SuSE Distributions and
Workarounds:
Another security announcement is following this advisory.
3) standard appendix:
SuSE runs two security mailing lists to which any interested
party may subscribe:
suse-security@suse.com
– general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list. To
subscribe, send an email to suse-security-subscribe@suse.com.
suse-security-announce@suse.com
– SuSE’s announce-only mailing list.
Only SuSE’s security annoucements are sent to this list. To
subscribe, send an email to suse-security-announce-subscribe@suse.com.
For general information or the frequently asked questions (faq)
send mail to:
suse-security-info@suse.com
or
suse-security-faq@suse.com
respectively.
SuSE’s security contact is security@suse.com.
Regards,
Roman Drahtmüller.
– – —
- - | Roman Drahtmüller draht@suse.de // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -