From sup-info@LOCUTUS4.CALDERASYSTEMS.COM Wed Jan 31 23:39:00 2001 From: Caldera Support Info To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 31 Jan 2001 10:26:49 -0700 Subject: [BUGTRAQ] Security Advisory: BIND buffer overflow CSSA-2001-008.1 [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: BIND buffer overflow Advisory number: CSSA-2001-008.1 Issue date: 2001 January, 29 Last change: 2001 January, 31 Cross reference: ______________________________________________________________________________ 1. Problem Description Several security problems have been discovered in the most recent versions of BINDv8 (8.2.2p7). One of them is a buffer overflow that can potentially exploited to execute arbitrary code with the privilege of the bind user. If you do not run the BIND named server, you are not affected by this problem. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux 2.3 All packages previous to bind-8.2.3 OpenLinux eServer 2.3.1 All packages previous to and OpenLinux eBuilder bind-8.2.3 OpenLinux eDesktop 2.4 All packages previous to bind-8.2.3 3. Solution Workaround none The proper solution is to upgrade to the latest packages. As a matter of caution, we also suggest that you run the name server process under a non-root user ID. In case of future security holes in bind, this makes sure that remote attackers do not immediately obtain root access. Be warned however that when running the name server process under a non-root uid it loses the ability to automatically re-bind itself when you change the address of a network interface, or create a new one. If you do that, you need to manually restart named in this case. On eDesktop 2.4, named already runs under the "bind" account by default; this is not the case on OpenLinux 2.3 and eServer 2.3.1, however. Here's what to do: a. Create a new user and group named `bind'. Pick an unused user and group ID (on a normal OpenLinux installation, uid and gid 19 should be available). Run the following commands as super user, replacing and by the user and group IDs you selected: # groupadd -g bind # useradd -u -g -d / -s /bin/false bind b. Change the ownership of /var/named to bind.bind: # chown -R bind.bind /var/named c. Edit /etc/sysconfig/daemons/named. Replace the line OPTIONS="" with OPTIONS="-u bind" This makes sure that the name server process relinquishes root privilege after initialization. d. Stop and restart your name server: # /etc/rc.d/init.d/named stop # /etc/rc.d/init.d/named start Note that simply issuing /etc/rc.d/init.d/named restart will not be enough! 4. OpenLinux 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS 4.2 Verification 01f9c6b514ab5aa70c3fe200c0c97243 RPMS/bind-8.2.3-1.i386.rpm 89ed56545ee05e8adf81775b2754afd0 RPMS/bind-doc-8.2.3-1.i386.rpm 41b9707056286325f4da4f45c0547b27 RPMS/bind-utils-8.2.3-1.i386.rpm 9ae6f304f9dd7a63aa291ed143fa4035 SRPMS/bind-8.2.3-1.src.rpm 4.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fhv bind-*i386.rpm /etc/rc.d/init.d/named stop /etc/rc.d/init.d/named start 5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0 5.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS 5.2 Verification acd707632ae0e33432b5d37862265517 RPMS/bind-8.2.3-1.i386.rpm 679d55e150b0bc8de0828db076e8594b RPMS/bind-doc-8.2.3-1.i386.rpm a2b1b9764e884f4b1ed2b77e222a6755 RPMS/bind-utils-8.2.3-1.i386.rpm 9ae6f304f9dd7a63aa291ed143fa4035 SRPMS/bind-8.2.3-1.src.rpm 5.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh bind-*i386.rpm /etc/rc.d/init.d/named stop /etc/rc.d/init.d/named start 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification f454346c9bf531d6e9aa014d2be93e99 RPMS/bind-8.2.3-1.i386.rpm 33a4e0f2ff622ea60e920c189b48af00 RPMS/bind-doc-8.2.3-1.i386.rpm a786125567471a7bd42544e104977d15 RPMS/bind-utils-8.2.3-1.i386.rpm 9ae6f304f9dd7a63aa291ed143fa4035 SRPMS/bind-8.2.3-1.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh bind-*i386.rpm /etc/rc.d/init.d/named stop /etc/rc.d/init.d/named start 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html Additional information on this bug can be found at http://www.cert.org/advisories/CA-2001-02.html This security fix closes Caldera's internal Problem Report 8942. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6d+3l18sy83A/qfwRAjDSAJ9t7R8OiGb95t+DEsHUAW628jt7SgCeK1uB 5bK+TyAtICtvl/D84AnCz40= =RkYp -----END PGP SIGNATURE----- ^@