-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject: 		rmail problem in smail
Advisory number: 	CSSA-1999:001.0
Issue date: 		1999 Jan 29
Cross reference: 	
______________________________________________________________________________


1. Problem Description

   There was a problem with smail's -D option which names the debug
   file to use.

   If the attacking user submits a UUCP job containing the following rmail
   invocation:

   rmail -N -D /usr/lib/uucp/.rhosts -oMs "joe\nhostname user\n" uucp

   where \n is a newline and hostname and user specify the attacking host and
   user, respectively, smail will happily append the following to uucp's
   .rhosts file:

   rmail: Debugging started: pid=25919
 
   write_log:Received FROM:uucp HOST:joe
   hostname user
   PROGRAM:rmail SIZE:99
   ... some more lines ...

   All the attacker now has to do is rsh into the target host and try to
   exploit the uucp account (e.g. by replacing the uux binary).

   Note that this hole is also exploitable locally; all you have to do is call
   'uux rmail ....' to make it work.


2. Vulnerable Versions

   Systems: 	OpenLinux 1.0, 1.1, 1.2, 1.3.
   Packages: 	<= smail-3.2-4.i386.rpm


3. Solutions

   The proper solution is to upgrade to the smail-3.2-5 packages. 


4. Location of Fixed Packages

   The upgrade packages can be found on Caldera's FTP site at:

   ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/019/RPMS

   The corresponding source code package can be found at:

   ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/019/SRPMS


5. Installing Fixed Packages

   Upgrade the affected packages with the following commands:

   rpm -q smail & rpm -U smail-3.2-5.i386.rpm
   rpm -q smail-doc & rpm -U smail-doc-3.2-5.i386.rpm


6. Verification

   The MD5 checksums (from the "md5sum" command) for these packages are:

   f154a6fee3df040f0ef579e164f14e6a  RPMS/smail-3.2-5.i386.rpm
   0a16589706333ee7cc5dcd14681f137b  RPMS/smail-doc-3.2-5.i386.rpm
   ac3b1c65c3769bf09d802dae4b69891e  SRPMS/smail-3.2-5.src.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/news/security/index.html
  
   This security fix closes Caldera's internal Problem Report 1550.


8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNsQDgOn+9R4958LpAQE1rAP/WqXNT1ZFFJBdHrcApAOvdPkHvp4D2//R
DpdJxw446rn3jPt1tVS5mhq6n/2IgF8efyUsBDPZTdAnf+OdE3tuG4+stq00SG50
aC4P4QJzv1deCV116eWxAoDH5vsL/Jd5bTG8F8nT+BNrnXSD1FcFbvAll6FBxWuX
/Hg9I2IRaIs=
=Glfa
-----END PGP SIGNATURE-----