From support@caldera.com Thu Mar 5 18:28:32 1998 From: Caldera Support To: Caldera Announce Date: 6 Mar 1998 00:59:13 -0000 Reply-To: info@caldera.com Subject: Caldera Security Advisory SA-1998.04: Vulnerabilities using gzexe -----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.04: Vulnerabilities using gzexe Advisory issue date: 05-Mar-1998 Topic: Vulnerabilities using the gzexe utility from the gzip package. I. Problem Description The gzexe utility allows a user to compress executables in place and have them automatically uncompress and execute at run time. This saves disk space at the expenses of performance. The compressed executable has a shell script header that decompresses the file at run time. This script has at least one known vulnerability and may have others. Note 1: The gzexe utility is part of the gzip package. Note 2: Some versions of gzexe do not execute because they reference gzip from /usr/bin instead of /bin. One work-around for this problem is to use a symlink ("ln -s /bin/gzip /usr/bin"). II. Impact During decompression, the compressed binaries produced by gzexe use predictable /tmp filenames resulting in a vulnerability where unprivileged users may be able to overwrite other user's files. Since the decompression is done via a shell script, other security vulnerabilities are possible. This weakness affects all Caldera OpenLinux installations which have an executable copy of gzexe installed. III. Solution Until a secure replacement for gzexe is available, gzexe and the compressed binaries it produces are not supported. The security hole can be exploited using any gzipped executables made by gzexe. The system administrator must identify these and use gzexe to decompress them before removing gzexe. The following command can be used to identify executables that may have been gzipped using gzexe: find / -type f -exec grep -q "/tmp/gztmp\\\$\\\$ \\\$" {} \; -print The administrator can decompress the executable named using: gzexe -d /path/executable A harmless error message will be given if the named file had not been previously compressed with gzexe. The simple solution is to avoid using gzexe and the compressed binaries produced from gzexe. A new gzip package which gzexe removed is provided. We recommend either removing gzexe or updating the gzip RPM to version gzip-1.2.4-7.i386.rpm which can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/002/RPMS/ Source code in RPM format can also be obtained from: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/002/SRPMS/ To install the new package execute (as root) the following command: rpm -q gzip && rpm -U gzip-1.2.4-7.i386.rpm The MD5 checksums (from the "md5sum" command) for these packages are: b24eecbc3cb4aa698486838393ba4915 gzip-1.2.4-7.i386.rpm d956526b206b04fbe43d3dd646cd7bb3 gzip-1.2.4-7.src.rpm IV. References This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ This security advisory report is based in part on the postings to the BugTraq email list: From: (Michal Zalewski) lcamtuf@BOSS.STASZIC.WAW.PL To: BUGTRAQ@NETSPACE.ORG Subject: GZEXE - the big problem Date: Wed, 28 Jan 1998 21:41:53 +0100 Message-ID: 01bd2c2d$2a5e1040$LocalHost@LCAMTUF http://www.netspace.org/cgi-bin/wa?A2=ind9801d&L=bugtraq&O=T&P=914 This security alert closes Caldera's internal problem report #1722. V. PGP Signature This message was signed with the PGP key for security@caldera.com. This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1998.04,v 1.1 1998/03/05 23:06:38 ron Exp ron $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNP9BXen+9R4958LpAQH8JQP/R/qRv8IAIXjf4xNMGf3y/R3zrV4Xsy2j +wobznfGsu9eGyod610vGGdW1flKTvIJk+naoZibIx5TR3rvkrSMQQa6aJc1WdNU x+3Q0npjba+ovtU3KApJr7kdeKPGWN6Bvolh+uzdnyachrbLx4BWouGLmq0hdYqy LTX/mMa8vdY= =vWjN -----END PGP SIGNATURE----- - Notes: To learn how to use this list server, email a "help" command to majordomo@rim.caldera.com.