From support@caldera.com Fri Dec 11 16:15:26 1998 From: Caldera Support To: Caldera Announce Date: 11 Dec 1998 16:33:22 -0000 Reply-To: info@caldera.com Subject: Caldera Security Advisory SA-1998.36: screen /tmp file race problem -----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.36: screen /tmp file race problem Topic: screen /tmp file race problem Advisory issue date: 25 November 1998 I. Problem Description This is a problem present in screen 3.7.4. When a user uses ^A > in screen to save whatever he has cut, the file /tmp/screen-exchange is created. This file contains whatever was in the cut buffer at the time. This can be exploited if a normal user links /tmp/screen-exchange to a sensetive file, such as /etc/passwdr. Whenever root uses ^A > to save his buffer to file, whatever file /tmp/screen-exchange is linked to, is overwritten. II. Impact Description: When the root user uses screen critical files may be overwritten. Vulnerable Systems: OpenLinux 1.0, 1.1, 1.2, 1.3 systems using a screen package prior to screen-3.7.4-2. III. Solution Workaround: Do not use screen and remove the screen package until the fixed package can be installed. Correction: The proper solution is to upgrade to the screen-3.7.4-2 package. They can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/008/RPMS The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/008/SRPMS The MD5 checksums (from the "md5sum" command) for these packages are: 5510280cd7d597115253a32b5b9b1a64 RPMS/screen-3.7.4-2.i386.rpm 973bcbc995c9301fc9534abe18d18c1f SRPMS/screen-3.7.4-2.src.rpm Upgrade with the following commands: rpm -q screen && rpm -U screen-3.7.4-2.i386.rpm IV. References This and other Caldera security resources are located at: http://www.caldera.com/news/security/index.html Additional documentation on this problem can be found in http://www.geek-girl.com/bugtraq/1998_3/0204.html This security fix closes Caldera's internal Problem Report 4084. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNnEuR+n+9R4958LpAQEQ7QP+IC0sbNwWPelgelBw8M9d2P0swXeghpeU bXZYgzTJz1iIhj/UjzWmBtXwP+dTjjZFop+leGWtDIcWQGKE8VYsJN4/Fe0vMR73 kfbgGwSpplwfnXEGN6UrasTp/M70O1BpyDlVpx3lsPvnMz8q/JbQ26nID+rAKVpv Qn+XpP5szRQ= =qwnr -----END PGP SIGNATURE----- - Notes: To learn how to use this list server, email a "help" command to majordomo@rim.caldera.com.