(Immunix Issues Fix) Rxvt X-Windows Terminal Emulator Lets Local Users Obtain utmp Group Privileges
|
|
SecurityTracker Alert ID: 1001861 |
|
SecurityTracker URL: http://securitytracker.com/id/1001861
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 28 2001
|
Impact:
Execution of arbitrary code via local system, User access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): rxvt 2.6.2 (tested on Debian Linux 2.2)
|
Description:
A vulnerability has been reported in Rxvt, a VT102 emulator for the X window system. The vulnerability allows local users to gain special privileges on the host.
The vulnerability is due to a buffer overflow in the '-T' option, which can be triggered when a user supplies a title with greater than 256 characters. The '-name' option is also reported to trigger an overflow. Because rrxvt is installed with set group id (sgid) utmp privileges (on Debian 2.2, possibly on other systems), a local user can obtain utmp privileges.
It is reported that rxvt drops permissions incorrectly, making it possible for exploit code to recover the permissions via the saved group id.
The vendor has reportedly been notified.
|
Impact:
A local user can obtain utmp group privileges.
|
Solution:
The vendor has released a fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
|
Vendor URL: www.rxvt.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Immunix)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 27 Jun 2001 14:54:52 -0700
Subject: [Immunix-announce] rxvt update -- Immunix OS 6.2, 7.0-beta, and 7.0
|
--kb0TSCuX821Ar6UT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: rxvt
Affected products: Immunix OS 6.2, 7.0-beta, and 7.0
Bugs fixed: immunix/1646
Date: Wed Jun 27 2001
Advisory ID: IMNX-2001-70-028-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Samuel "Zorgon" Dralet has discovered a buffer overflow in rxvt, a
terminal emulator for X11. This attack is stopped by StackGuard, so
any exploits can at best kill rxvt; no code can be executed as a
result of this vulnerability. This release checks the size of a buffer
before writing data to it, preventing possible DoS attacks against
rxvt.
Immunix OS does not ship rxvt setuid or setgid.
Thanks to Samuel "Zorgon" Dralet for finding the problem and providing
a solution.
References: http://www.securityfocus.com/archive/1/191510
Package names and locations:
Precompiled binary packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/rxvt-2.6.1-8_StackGuard_1.i386.rpm
Source packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/rxvt-2.6.1-8_StackGuard_1.src.rpm
Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/rxvt-2.6.3-2_imnx_2.i386.rpm
Source package for Immunix 7.0-beta and 7.0 is available at:
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/rxvt-2.6.3-2_imnx_2.src.rpm
Immunix OS 6.2 md5sums:
e437825b2bbcd134f51b9e20e6b6baa7 RPMS/rxvt-2.6.1-8_StackGuard_1.i386.rpm
de23da63d184eb57ebae4cb85cae0b97 SRPMS/rxvt-2.6.1-8_StackGuard_1.src.rpm
Immunix OS 7.0 md5sums:
ce80b76ad782a76314a1e8060dc89a04 RPMS/rxvt-2.6.3-2_imnx_2.i386.rpm
8ff018647dedc68d5823a1de6374811b SRPMS/rxvt-2.6.3-2_imnx_2.src.rpm
GPG verification:
Our public key is available at <http://wirex.com/security/GPG_KEY>.
*** NOTE *** This key is different from the one used in advisories
IMNX-2001-70-020-01 and earlier.
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--kb0TSCuX821Ar6UT
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjs6VisACgkQVQcWL60UVMvxNACaA2tKyueTd1Np4+mjECnxsJz8
+GMAn1+0HQcFd46sDsIv68kV9dsTQayj
=RIZU
-----END PGP SIGNATURE-----
--kb0TSCuX821Ar6UT--
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
|
|
