-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.19: Buffer overflow in slang Topic: Buffer overflow in slang Advisory issue date: 24-July-1998 I. Problem Description There is a hole in the Slang library that gives root permissions to anyone via setuid slang programs, and may give other rights. An example is the mutt mail program which is linked with slang and has setgid permissions. The cause of the problem is a pair of fairly silly sprintf huge $TERM value into small buffer bugs. Another problem not mentioned by Alan but fixed in a Jun 26 release by RedHat is that slang doesn't reset the gid/uid before opening the terminfo file (which may be specified via the TERMINFO variable). II. Impact Description: Vulnerable Systems: OpenLinux 1.0, 1.1, & 1.2 systems using the slang library package prior to slang-0.99.38-3. III. Solution Correction: The proper solution is to Upgrade to the xxx packages. They can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/RPMS The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/SRPMS The MD5 checksums (from the "md5sum" command) for these packages are: 31e3b6522d290c432eb82a7f36340dc1 RPMS/slang-0.99.38-3.i386.rpm 2e2fac73e7990be85b587877f121cfe8 RPMS/slang-devel-0.99.38-3.i386.rpm ab76c41bc7af58fc66bb0cfe08576f23 RPMS/slang-devel-static-0.99.38-3.i386.rpm 8a2619e19064964a57902822b7fd4716 SRPMS/slang-0.99.38-3.src.rpm Upgrade with the following commands: rpm -q slang-devel-static && rpm -e slang-devel-static rpm -q slang-devel && rpm -e slang-devel rpm -q slang && rpm -U slang-0.99.38-3.i386.rpm If the development libraries are needed: rpm -i slang-devel-0.99.38-3.i386.rpm rpm -i slang-devel-static-0.99.38-3.i386.rpm IV. References This and other Caldera security resources are located at: http://www.caldera.com/news/security/index.html Additional documentation on this problem can be found in Alan Cox's vendor-sec posting: ) This security fix closes Caldera's internal Problem Report 4044. V. PGP Signature This message was signed with the PGP key for security@caldera.com. This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1998.19.txt,v 1.3 1998/07/24 13:02:59 rf Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNbiGA+n+9R4958LpAQFsgwQAt7L1zCGlGYeIw2oaPRWHnMJEFQ/zSYkV mZy4VhR0V0GsYciad0w/UwxYMM9WpaI4N9+wDgFF/wJWQZX/8qtb+VHHg6MDN3Ej 2U2DHt6V5da66uThH0dduPcx41kn0v/Y8Nb+r07DUaWwrJ1TBFLAJe8nVwGAxRx8 DixDNCDZFYU= =8GJD -----END PGP SIGNATURE-----