-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		local ROOT exploit in BRU
Advisory number: 	CSSA-2000-018.0
Issue date: 		2000 June, 14
Cross reference:
______________________________________________________________________________


1. Problem Description

   There is a serious vulnerability in the commandline option and logfile
   handling of the BRU Backup Utility which can be exploited by a local
   attacker to gain root access to the machine.

   We ship BRU on the commercial software CD-ROM of our OpenLinux productline,
   but it's not installed by default.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        up to BRU-15.1P-4

   OpenLinux eServer 2.3        not included
   and OpenLinux eBuilder

   OpenLinux eDesktop 2.4	up to BRU-15.1D-8


3. Solution

   Workaround:

   If you do not need BRU, issue as root:

        rpm -e BRU

   Otherwise remove the suid-root bit by issuing as root:

        chmod u-s /bru/bru /bin/bru

   If you want to use BRU as a normal user, you have to point the 'BRUEXECLOG'
   environment variable to a file writeable by the user, like

    	bash/sh:

        	BRUEXECLOG=~/.brulog
        	export BRUEXECLOG

    	tcsh/csh:

        	setenv BRUEXECLOG=~/.brulog

   Also do ignore the
 	bru: [W171] warning - BRU must be owned by root and have suid bit set
   warning on further BRU calls.

4. OpenLinux Desktop 2.3

   See workaround above

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

   not included

6. OpenLinux eDesktop 2.4

   See workaround above

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements

   Caldera Systems wishes to thank the Network Security department of Speakeasy
   Networks for discovering and reporting the bug, and Enhanced Software
   Technologies, Inc. for suggesting the workaround.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5R3Fl18sy83A/qfwRArQvAJ4kXFmdyA+bAEeaOkYmsfsJkhNpxACfYYxP
/TBrKh4Lxxpb/Pe9Z/pMMnw=
=K8/3
-----END PGP SIGNATURE-----