(Conectiva Issues Fix) Red Hat Package Manager (RPM) Archives May Execute Arbitrary Code With Printer (lp) Privileges When Queried, Allowing a Local User to Gain Elevated Privileges on the Host
|
Date: Nov 27 2001
|
Impact: Execution of arbitrary code via local system, User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): rpm-4.0.2-7x, probably also earlier 4.0.x rpm packages; also affects programs using rpm libraries
|
Description: A vulnerability was reported in Red Hat Package Manager (rpm) that allows a user to create a corrupt RPM file that will automatically execute code when another user queries the archive. The code will run with printer (lp) user privileges.
It is reportedly possible for a user to create an RPM (Redhat Package Manager) file with 'corrupted' data that will cause arbitrary
code to execute when the rpm file is queried. The code will be executed with 'lp' user privileges. A local user can gain 'lp'
privileges.
To exploit this flaw, a user must modifying the header so that it is still valid but will corrupt the heap to cause
execution of user-supplied shellcode. The shellcode must be designed to be loaded into memory when the rpm is queried by the print
filter. It is reported that the RedHat print system will select the 'RPM to ASCII" print filter (/usr/lib/rhs/rhs-printfilters/rpm-to-asc.fpi)
to print (display) information about the rpm.
|
Impact: A local user can obtain lp user privileges.
|
Solution: The vendor has released a fix:
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/rpm-4.0.2-28U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/librpm-4.0.2-28U7
0_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/librpmbuild-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/popt-1.6.2-28U70_1cl.i386.
rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/popt-devel-1.6.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/popt-devel-static-1.6.2-28U70_1cl.i386
.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/popt-doc-1.6.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-rpm-4.0.2-28U70_1cl.i386.rpm
ft
p://atualizacoes.conectiva.com.br/7.0/RPMS/rpm-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rpm-build-4.0.2-28U70_1cl.i386.rpm
ftp://atualizaco
es.conectiva.com.br/7.0/RPMS/rpm-devel-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rpm-devel-static-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoe
s.conectiva.com.br/7.0/RPMS/rpm-doc-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rpm2cpio-4.0.2-28U70_1cl.i386.rpm
Users
of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages:
- add the following line to /etc/apt/sources.list
if it is not there yet
(you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva
updates
(replace 6.0 with the correct version number if you are not running CL6.0)
- run: apt-get update
- after that, execute: apt-get upgrade
|
Cause: Exception handling error
|
Underlying OS: Linux (Conectiva)
|
Reported By: secure@conectiva.com.br
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 27 Nov 2001 16:35:11 -0200
From: secure@conectiva.com.br
Subject: [conectiva-updates] [CLA-2001:440] Conectiva Linux Security Announcement - rpm
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : rpm
SUMMARY : RPM query vulnerability
DATE : 2001-11-27 16:34:00
ID : CLA-2001:440
RELEVANT
RELEASES : 7.0
- -------------------------------------------------------------------------
DESCRIPTION
The RPM Package Manager (RPM) is the package management system used
to distribute and install software by Conectiva Linux.
zen-parse found[1] a vulnerability[2] in rpm wich allows an attacker
to execute arbitrary code when an adultered rpm package is queried.
A malicious user could exploit this vulnerability by sending a
carefully crafted rpm package to the printing system, which will
query the package to extract the information to print and will
execute arbitrary code choosen by the attacker with the privileges of
the lp user.
Another situation is an administrator or any other user querying such
a package to extract information (using rpm -qpi for example) and
inadvertently executing arbitrary code from the attacker.
SOLUTION
All users should upgrade. We would like to thank Jeff Johnson
<jbj@redhat.com> for providing the patch to fix this vulnerability.
REFERENCES:
1. http://www.securityfocus.com/archive/1/222542
2. http://www.securityfocus.com/bid/3472
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/rpm-4.0.2-28U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/librpm-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/librpmbuild-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/popt-1.6.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/popt-devel-1.6.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/popt-devel-static-1.6.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/popt-doc-1.6.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-rpm-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rpm-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rpm-build-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rpm-devel-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rpm-devel-static-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rpm-doc-4.0.2-28U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rpm2cpio-4.0.2-28U70_1cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(replace 6.0 with the correct version number if you are not running CL6.0)
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8A9ze42jd0JmAcZARAgH5AKDtdGRkNRLl7k7G+EJaXnYS3k6XngCfQ5SW
fzzyZ0ZhztHpL3HObZvgCzQ=
=J5j9
-----END PGP SIGNATURE-----
|
|
