----- Original Message ----- From: "Sebastian Krahmer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 14, 2002 5:59 PM Subject: [suse-security-announce] SuSE Security Announcement: sudo (SuSE-SA:2002:002)
> > -----BEGIN PGP SIGNED MESSAGE----- > > ____________________________________________________________________________ __ > > SuSE Security Announcement > > Package: sudo > Announcement-ID: SuSE-SA:2002:002 > Date: Mon Jan 14 13:00:00 CET 2002 > Affected SuSE versions: 7.0, 7.1, 7.2, 7.3 > Vulnerability Type: local privilege escalation > Severity (1-10): 5 > SuSE default package: yes > Other affected systems: all recent sudo installations > > Content of this advisory: > 1) security vulnerability resolved: Sendmail invocation as root. > problem description, discussion, solution and upgrade information > 2) pending vulnerabilities, solutions, workarounds > 3) standard appendix (further information) > > ____________________________________________________________________________ __ > > 1) problem description, brief discussion, solution, upgrade information > > The SuSE Security Team discovered a bug in the sudo program which is > installed setuid to root. Attackers may trick "sudo" to log failed sudo > invocations executing the sendmail program with root-privileges and not > completely cleaned environment. > Depending on the installed mail-package this may enable attackers to > execute code as root. This is the case for at least the postfix mailer. > Other mailers may be exploited in a similar way. > This bug has been fixed by having "sudo" invoke the sendmail command with > user-privileges instead. > Please update your sudo package regardless of the mail-packages you are > using. As a temporary workaround you may remove the s-bit from sudo with > the "chmod -s `which sudo`" command, which will disable the sudo > functionality. > > Please download the update package for your distribution and verify its > integrity by the methods listed in section 3) of this announcement. > Then, install the package using the command "rpm -Fhv file.rpm" to apply > the update. > > i386 Intel Platform: > > SuSE-7.3 > ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap1/sudo-1.6.3p7-71.i386.rpm > b98f00f761274530bfad3486253bed53 > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sudo-1.6.3p7-71.src.rpm > d046509163e1fc6d4143a8db1c2283d2 > > SuSE-7.2 > ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap1/sudo-1.6.3p6-86.i386.rpm > ee01b7b2ba2e73376eb3c358ccb5b768 > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sudo-1.6.3p6-86.src.rpm > e8cbaa81d9a806169f0c235ed6bc5d6a > > SuSE-7.1 > ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/sudo-1.6.3p6-85.i386.rpm > 7ba4ae9fb72348e0d1909c9ea79be5e0 > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sudo-1.6.3p6-85.src.rpm > a10b4ecae46aaff271f59c7dd726d8d0 > > SuSE-7.0 > ftp://ftp.suse.com/pub/suse/i386/update/7.0/ap1/sudo-1.6.3p6-85.i386.rpm > 345a8e541b66d5016b939560a525d47c > source rpm: > ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/sudo-1.6.3p6-85.src.rpm > 58afdb9b1e6c9e19440ee4047fff1105 > > > Sparc Platform: > > SuSE-7.3 > ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap1/sudo-1.6.3p7-26.sparc.rpm > 94139dd96c9be67d4e41d38abee95434 > source rpm: > ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sudo-1.6.3p7-26.src.rpm > b5f16c705cdcf85754037296b8847b20 > > SuSE-7.1 > ftp://ftp.suse.com/pub/suse/sparc/update/7.1/ap1/sudo-1.6.3p6-32.sparc.rpm > 915313678145418569c54332760f989a > source rpm: > ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/sudo-1.6.3p6-32.src.rpm > 2fd809a5f53992aa23c732d9466e274a > > SuSE-7.0 > ftp://ftp.suse.com/pub/suse/sparc/update/7.0/ap1/sudo-1.6.3p6-33.sparc.rpm > 0c1dce308b37b31ea943369ba23e3dab > source rpm: > ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/sudo-1.6.3p6-33.src.rpm > da4786d3e8798e6c31d4eea338e9cd93 > > > AXP Alpha Platform: > > SuSE-7.1 > ftp://ftp.suse.com/pub/suse/axp/update/7.1/ap1/sudo-1.6.3p6-36.alpha.rpm > eb020b7e212e0d9cb85578a1b49e3529 > source rpm: > ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/sudo-1.6.3p6-36.src.rpm > fb2652e480282dfecbbb7e6db8ec7bec > > SuSE-7.0 > ftp://ftp.suse.com/pub/suse/axp/update/7.0/ap1/sudo-1.6.3p6-37.alpha.rpm > 35b6ea7ebac976d8b65f9f09b574e107 > source rpm: > ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/sudo-1.6.3p6-37.src.rpm > 0ac6c3001d727f3774a57cc76eb7d4c1 > > > Power PC Platform: > > SuSE-7.3 > ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap1/sudo-1.6.3p7-51.ppc.rpm > 3ff70447a81e3f4c88b44af2445d4f6d > source rpm: > ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sudo-1.6.3p7-51.src.rpm > f71b62019ea2f49e0202f74033f07496 > > SuSE-7.1 > ftp://ftp.suse.com/pub/suse/ppc/update/7.1/ap1/sudo-1.6.3p6-42.ppc.rpm > 3bef306a5a8b782fdda0bdd77758b290 > source rpm: > ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/sudo-1.6.3p6-42.src.rpm > d9475c12754ae3c87cac72484dc90bbc > > SuSE-7.0 > ftp://ftp.suse.com/pub/suse/ppc/update/7.0/ap1/sudo-1.6.3p6-41.ppc.rpm > 54d98aa831bab75529731d0789f01cbd > source rpm: > ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/sudo-1.6.3p6-41.src.rpm > c61d3c629eefaf0eb041a630414d6580 > > > ____________________________________________________________________________ __ > > 2) Pending vulnerabilities in SuSE Distributions and Workarounds: > > - stunnel > A format string error in the stunnel ssl wrapper was reported on > bugtraq in December 2001. SuSE Linux 7.2 and 7.3 as well as SLES7 > contain the stunnel package in Version 3.14, which should be > vulnerable to the format string bug according to the reports on > bugtraq. However, the responsible portion of code does not expose the > format string problem with calls to fdprintf(). Therefore, SuSE > stunnel packages are not vulnerable to the security problem. > > - thttpd > The thttpd daemon contained several off-by-one overflows. Due to internal > organization of the variables affected by these overflows, they seem > not exploitable. However, these bugs have been fixed. Please update to > the newest thttpd packages. > > - pine > The popular mail client "pine" was found vulnerable to an attack where > shell metacharacters inside an URL could be used to execute arbitrary > commands if pine passes the URL to an external viewer on the > commandline. The pine packages on SuSE products are not vulnerable to > this weakness because they contain a patch that works around this > problem since it is not new. > > > ____________________________________________________________________________ __ > > 3) standard appendix: authenticity verification, additional information > > - Package authenticity verification: > > SuSE update packages are available on many mirror ftp servers all over > the world. While this service is being considered valuable and important > to the free and open source software community, many users wish to be > sure about the origin of the package and its content before installing > the package. There are two verification methods that can be used > independently from each other to prove the authenticity of a downloaded > file or rpm package: > 1) md5sums as provided in the (cryptographically signed) announcement. > 2) using the internal gpg signatures of the rpm package. > > 1) execute the command > md5sum <name-of-the-file.rpm> > after you downloaded the file from a SuSE ftp server or its mirrors. > Then, compare the resulting md5sum with the one that is listed in the > announcement. Since the announcement containing the checksums is > cryptographically signed (usually using the key [EMAIL PROTECTED]), > the checksums show proof of the authenticity of the package. > We disrecommend to subscribe to security lists which cause the > email message containing the announcement to be modified so that > the signature does not match after transport through the mailing > list software. > Downsides: You must be able to verify the authenticity of the > announcement in the first place. If RPM packages are being rebuilt > and a new version of a package is published on the ftp server, all > md5 sums for the files are useless. > > 2) rpm package signatures provide an easy way to verify the authenticity > of an rpm package. Use the command > rpm -v --checksig <file.rpm> > to verify the signature of the package, where <file.rpm> is the > filename of the rpm package that you have downloaded. Of course, > package authenticity verification can only target an uninstalled rpm > package file. > Prerequisites: > a) gpg is installed > b) The package is signed using a certain key. The public part of this > key must be installed by the gpg program in the directory > ~/.gnupg/ under the user's home directory who performs the > signature verification (usually root). You can import the key > that is used by SuSE in rpm packages for SuSE Linux by saving > this announcement to a file ("announcement.txt") and > running the command (do "su -" to be root): > gpg --batch; gpg < announcement.txt | gpg --import > SuSE Linux distributions version 7.1 and thereafter install the > key "[EMAIL PROTECTED]" upon installation or upgrade, provided that > the package gpg is installed. The file containing the public key > is placed at the toplevel directory of the first CD (pubring.gpg) > and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . > > > - SuSE runs two security mailing lists to which any interested party may > subscribe: > > [EMAIL PROTECTED] > - general/linux/SuSE security discussion. > All SuSE security announcements are sent to this list. > To subscribe, send an email to > <[EMAIL PROTECTED]>. > > [EMAIL PROTECTED] > - SuSE's announce-only mailing list. > Only SuSE's security annoucements are sent to this list. > To subscribe, send an email to > <[EMAIL PROTECTED]>. > > For general information or the frequently asked questions (faq) > send mail to: > <[EMAIL PROTECTED]> or > <[EMAIL PROTECTED]> respectively. > > ===================================================================== > SuSE's security contact is <[EMAIL PROTECTED]> or <[EMAIL PROTECTED]>. > The <[EMAIL PROTECTED]> public key is listed below. > ===================================================================== > ____________________________________________________________________________ __ > > The information in this advisory may be distributed or reproduced, > provided that the advisory is not modified in any way. In particular, > it is desired that the cleartext signature shows proof of the > authenticity of the text. > SuSE GmbH makes no warranties of any kind whatsoever with respect > to the information contained in this security advisory. > > Type Bits/KeyID Date User ID > pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <[EMAIL PROTECTED]> > pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <[EMAIL PROTECTED]> > > - -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA > BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz > JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh > 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U > P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ > cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg > VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b > yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 > tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ > xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 > Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo > choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI > BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u > v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ > x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 > Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq > MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 > saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o > L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU > F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS > FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW > tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It > Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF > AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+ > 3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk > YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP > +Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR > 8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U > 8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S > cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh > ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB > UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo > AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n > KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohc > BBMRAgAcBQI57vSBBQkDwmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8s > AJ98BgD40zw0GHJHIf6dNfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQ > EQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACe > OO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vf > iUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEI > SZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9g > TPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23p > QUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1y > PqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IX > SzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd9DYJ8UUT > mIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Via5/gO7fJ > EpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13CNZZNZfD > qnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp271hhQBe > RmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlEt5ucTXst > Zy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMGB/9g+9V3 > ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZwrbSTM5Lp > C/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6TtIJlGG6pq > UN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFLrWn7mfoG > x6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5HRKMWpO+M > 9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMag8zFbpeq > PQUsDv9V7CAJ1dbriEwEGBECAAwFAjnu9JIFCQPCZwAACgkQqE7a6JyACspLIgCb > BQd/++0pB9yZWDhqxHtTpdCXRsAAnik7bYHlTxQfohiXYsEJcWrDn7l8 > =ojbD > - -----END PGP PUBLIC KEY BLOCK----- > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3i > Charset: noconv > > iQEVAwUBPELOTney5gA9JdPZAQGJmQf7BQ9oIgRO4jteio9B+ym1xuc+zX20i4I/ > OudFcsbx7F+cjNS4mTXAUtH3E+lipL9TAOQRywGejHMOUNrkwiO4SxtEK7X06my9 > vVlQL/D+5mGPXxjxM1pNyQPAmt8goZpLbJwhQmZ1Sz96WCsWgrQ3f4IWvdjkxEDE > wXlOGQ5V3iWsNk9+K/9G9SGFOy1Pr4ropj0QlK8pLV3+O4TfXkhU0m+R6aLiqeE5 > PLrvmBTk2tEwDR4wUvlMuCw9PxYu+p3gDDertZlN0k/JT4Qjb/kzKD/HIeWYUfnY > 2iCC1Wntdd0dd6COPlUUPNT91O9zAa4v7PVTxBniaijUF9TA0UUEIQ== > =tIhZ > -----END PGP SIGNATURE----- > > -- > ~ > ~ perl self.pl > ~ $_='print"\$_=\47$_\47;eval"';eval > ~ [EMAIL PROTECTED] - SuSE Security Team > ~ > > > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
