From rluethi@TURBOLINUX.COM Thu Jul 13 13:39:48 2000 From: Roger Luethi To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 19 Jun 2000 18:05:57 -0700 Reply-To: tl-security-announce@www1.turbolinux.com Subject: [TL-Security-Announce] Linux Kernel TLSA2000013-1 ___________________________________________________________________________ TurboLinux Security Announcement Package: kernel-2.2.15 and earlier Date: Monday June 19 17:45 PDT 2000 Affected TurboLinux versions: 6.0.5 and earlier Vulnerability Type: local root compromise TurboLinux Advisory ID#: TLSA2000013-1 BugTraq ID#: 1322 Credits: This vulnerability was discovered by Wojciech Purczynski. ___________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update the package in your installation as soon as possible. ___________________________________________________________________________ 1. Problem Summary Originally this security bug was reported by Sendmail. An unsafe fgets() usage in sendmail's mail.local exposes the setuid() security hole in the Linux kernel. This vunlnerability allows local users to obtain root privilege by exploiting setuid root applications. 2. Impact Any local user with an account can use this vulnerability to obtain root priviledges by exploiting setuid root applications. 3. a) Solution Please read section 3. b) if you use "TurboLinux Data Server with DB2" or "TurboLinux Data Server Optimized for Oracle 8i". Update the packages from our ftp server by running the following command for each package: rpm -Uvh --nodeps --Force ftp_path_to_filename Where ftp_path_to_filename is one of the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/kernel-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/kernel-BOOT-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/kernel-doc-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/kernel-headers-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/kernel-ibcs-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/kernel-pcmcia-cs-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/kernel-smp-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/kernel-source-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/kernel-utils-2.2.16-0.4.i386.rpm The source RPM can be downloaded here: ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/kernel-2.2.16-0.4.src.rpm **Note: You must rebuild and install the RPM if you choose to download and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE THE SECURITY HOLE. Please verify the MD5 checksum of the update before you install: MD5 sum Package Name --------------------------------------------------------------------------- 8861693c10c2a784f35ba603270d2ade kernel-2.2.16-0.4.i386.rpm d527dcb4a491eae049a560cc6ff0a4e0 kernel-2.2.16-0.4.src.rpm 3d70924bf24c74c9d2173ab2b7e696b0 kernel-BOOT-2.2.16-0.4.i386.rpm 8138707ad72cea856d9aed01042870ae kernel-doc-2.2.16-0.4.i386.rpm acca46851b1781a6c42e6a8a0a0a4426 kernel-headers-2.2.16-0.4.i386.rpm b8f54e8971270827bf5b5df1520877b5 kernel-ibcs-2.2.16-0.4.i386.rpm 6b2a24f7d677aa0739a5a113f0621f4f kernel-pcmcia-cs-2.2.16-0.4.i386.rpm 60aa909b603afa5fd895fbd693463e50 kernel-smp-2.2.16-0.4.i386.rpm e2a15e2ee9679f390908861513effd94 kernel-source-2.2.16-0.4.i386.rpm 9668cfd45fac0332c304a4e9f78dc4c9 kernel-utils-2.2.16-0.4.i386.rpm ___________________________________________________________________________ 3. b) Solution for TurboLinux Data Server This section only applies if you use "TurboLinux Data Server with DB2" or "TurboLinux Data Server Optimized for Oracle 8i". Update the packages from our ftp server by running the following command for each package: rpm -Uvh --nodeps --Force ftp_path_to_filename Where ftp_path_to_filename is one of the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-BOOT-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-doc-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-headers-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-ibcs-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-pcmcia-cs-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-smp-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-source-2.2.16-0.4.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-utils-2.2.16-0.4.i386.rpm The source RPM can be downloaded here: ftp://ftp.turbolinux.com/pub/updates/6.0/security/TDS-kernel/kernel-2.2.16-0.4.src.rpm **Note: You must rebuild and install the RPM if you choose to download and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE THE SECURITY HOLE. Please verify the MD5 checksum of the update before you install: MD5 sum Package Name --------------------------------------------------------------------------- 72b08a2760ef2f6ab7d1c3861bfb5d77 kernel-2.2.16-0.4.i386.rpm 872639a08f38b32f1879ad585b388624 kernel-2.2.16-0.4.src.rpm 6e9f553a05d85440d6405f539a0b0e25 kernel-BOOT-2.2.16-0.4.i386.rpm eee26cc58861b1ebf8bf9cef5263aedf kernel-doc-2.2.16-0.4.i386.rpm 1f8f01f0b3e2d598ed1569ce99a25b75 kernel-headers-2.2.16-0.4.i386.rpm a5fd0f5f1dcc175b324606dd26162238 kernel-ibcs-2.2.16-0.4.i386.rpm a9957820afeb81274d6a15d2411213b6 kernel-pcmcia-cs-2.2.16-0.4.i386.rpm a03c1aee79c2c7a9a8e92abd7df5ea08 kernel-smp-2.2.16-0.4.i386.rpm 8a669d467d515ad88f8710a13fd97ccb kernel-source-2.2.16-0.4.i386.rpm 138719960abc9eb52925f1507816cadf kernel-utils-2.2.16-0.4.i386.rpm ___________________________________________________________________________ These packages are GPG signed by Turbolinux for security. Our key is available here: http://www.turbolinux.com/security/tlgpgkey.asc To verify a package, use the following command: rpm --checksig name_of_rpm To examine only the md5sum, use the following command: rpm --checksig --nogpg name_of_rpm **Note: Checking GPG keys requires RPM 3.0 or higher. ___________________________________________________________________________ You can find more updates on our ftp server: ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation and Server security updates ftp://ftp.turbolinux.com/pub/updates/4.0/security/ for TL4.0 Workstation and Server security updates Our webpage for security announcements: http://www.turbolinux.com/security If you want to report vulnerabilities, please contact: rt-security@turbolinux.com ___________________________________________________________________________ Subscribe to the TurboLinux Security Mailing lists: TL-security - A moderated list for discussing security issues in TurboLinux products. Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security TL-security-announce - An announce-only mailing list for security updates and alerts. Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security-announce [Part 2, Application/PGP-SIGNATURE 240bytes] [Unable to print this part]