Slrn News Reader Automatically Executes Shell Scripts Embedded Within News Articles
|
Updated: Sep 25 2001
|
Original Entry Date: Sep 25 2001
|
Impact: Execution of arbitrary code via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): all versions >= 0.6.0
|
Description: A vulnerability was reported in slrn, a news reader (s-lang read news). The news reader will execute shell scripts contained in a news article when the article is viewed.
When extracting binary files, all versions of slrn will execute any shell scripts that are included in the article being decoded,
apparently assuming that the script is a self-extracting archive.
It is reported that the vulnerability has been fixed in version
0.9.6.2-9potato2. The shell code execution feature has been removed.
|
Impact: A remote user could post a news article containing a malicious shell script that will be executed by the newsreader when the news article is viewed.
|
Solution: A fixed version is available. See the Vendor URL for the source code. For Debian users, see the Debian security advisory in the Source Message.
|
Vendor URL: slrn.sourceforge.net/patches/index.html#subsect_decode (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Wichert Akkerman <wichert@wiggy.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 24 Sep 2001 01:52:50 +0200
From: Wichert Akkerman <wichert@wiggy.net>
Subject: [SECURITY] [DSA-078-1] slrn command invocation
|
-----BEGIN PGP SIGNED MESSAGE-----
- ------------------------------------------------------------------------
Debian Security Advisory DSA-078-1 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
September 24, 2001
- ------------------------------------------------------------------------
Package : slrn
Problem type : remote command invocation
Debian-specific: no
Byrial Jensen found a nasty problem in slrn (a threaded news reader).
The notice on slrn-announce describes it as follows:
When trying to decode binaries, the built-in code executes any shell
scripts the article might contain, apparently assuming they would be
some kind of self-extracting archive.
This problem has been fixed in version 0.9.6.2-9potato2 by removing
this feature.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.2 alias potato
- ---------------------------------
Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
Source archives:
http://security.debian.org/dists/stable/updates/main/source/slrn_0.9.6.2-9potato2.diff.gz
MD5 checksum: aba6be7efd5c693d9f5466afedcb08e2
http://security.debian.org/dists/stable/updates/main/source/slrn_0.9.6.2-9potato2.dsc
MD5 checksum: 51a80c1465a7fcc4d74151c4bd4470d1
http://security.debian.org/dists/stable/updates/main/source/slrn_0.9.6.2.orig.tar.gz
MD5 checksum: 7ce442af03aeafb88a636183955c270e
Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/slrn_0.9.6.2-9potato2_alpha.deb
MD5 checksum: 735e5ce15e7f87ac06a8cdecb1451a9f
http://security.debian.org/dists/stable/updates/main/binary-alpha/slrnpull_0.9.6.2-9potato2_alpha
.deb
MD5 checksum: 8b22f916ee5044ae6eaebbd658cffcad
ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/slrn_0.9.6.2-9potato2_arm.deb
MD5 checksum: 0cefa901be37e4b92796afb425369a10
http://security.debian.org/dists/stable/updates/main/binary-arm/slrnpull_0.9.6.2-9potato2_arm.deb
MD5 checksum: e68e5882a1d4feec1ba7fc9a737085d3
Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/slrn_0.9.6.2-9potato2_i386.deb
MD5 checksum: fc35e0d868dad315728c5274ee03a41c
http://security.debian.org/dists/stable/updates/main/binary-i386/slrnpull_0.9.6.2-9potato2_i386.d
eb
MD5 checksum: c3693811c8f794dc0b5bab3f581df0e8
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/slrn_0.9.6.2-9potato2_m68k.deb
MD5 checksum: 004a260f84dc2e45ea144b1899947327
http://security.debian.org/dists/stable/updates/main/binary-m68k/slrnpull_0.9.6.2-9potato2_m68k.d
eb
MD5 checksum: 2721c2b2470b7781dd79e5c0e216cf3f
PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/slrn_0.9.6.2-9potato2_powerpc
.deb
MD5 checksum: 9bc55c33a225662952854136da4865aa
http://security.debian.org/dists/stable/updates/main/binary-powerpc/slrnpull_0.9.6.2-9potato2_pow
erpc.deb
MD5 checksum: d78f8f3460d4abba54a088e5a07179c5
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/binary-sparc/slrn_0.9.6.2-9potato2_sparc.deb
MD5 checksum: 37c48f0b104b94d5f74c7b9f76a0485d
http://security.debian.org/dists/stable/updates/main/binary-sparc/slrnpull_0.9.6.2-9potato2_sparc
.deb
MD5 checksum: df2be8b02b16d7a85142365b42a64956
These packages will be moved into the stable distribution on its next
revision.
For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .
- --
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQB1AwUBO651y6jZR/ntlUftAQFIqgL+LK0ddJWd5I9O7VCIB2tanrYdRHjj0D5j
K+6+n5L4CG43osBE6GXhiwpfORgp1kAumbr5GbZrQFGDPl9GQimKEZmqPyKqVYy3
jsy8mdMDwaHN6qvamNvXbz+NboRqKZXl
=PShj
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
