-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.15: libc problems Advisory issue date: 24-July-1998 Topic-1: TZ environment variable used insecurely Advisory issue date: 24-July-1998 Topic-2: Various problems with RPC I. Problem Description Problem-1: The TZ environment variable is used in building a path name, but never checked for bogus path components. Problem-2: Crash caused by client-supplied bad data in svc_au_ux.c. Circumvention of security checks in svc_authdes.c; likely crash from using client-supplied data (nicknames). Crashing a server by dropping the connection while server is write()ing data (SIGPIPE). Hanging a tcp server by sending, huge records, records with single bytes spaced 30 seconds apart, continuous stream of requests, continuous stream of zero bytes. II. Impact Description-1: This lets an attacker trick the library into reading arbitrary files. This is especially bad for setuid applications, and when making it read /dev/port or something. Description-2: A server can be crashed or hung as described above. Vulnerable Systems: OpenLinux 1.0, 1.1, 1.2 systems using libc version lower than 5.4.46. III. Solution Correction: The proper solution is to Upgrade to the lib-5.4.46-2 packages. They can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/RPMS The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/SRPMS The MD5 checksums (from the "md5sum" command) for these packages are: da2cab3c05d519ae8874879ca93c986d RPMS/libc-5.4.46-2.i386.rpm 336893f27b5c60ddb8ada1ce420c64f2 RPMS/libc-devel-5.4.46-2.i386.rpm c528c6d6c4000b2c384df86ab4b64585 RPMS/libc-devel-debug-5.4.46-2.i386.rpm 7580098dfcd652cf97b22bfb9ef86065 RPMS/libc-devel-profile-5.4.46-2.i386.rpm 1459043d73165442e100d7ed02302c73 RPMS/libc-devel-static-5.4.46-2.i386.rpm ca3763bbeac717cb776c0f20da59a48d RPMS/libc-pthreads-5.4.46-2.i386.rpm 62749fd78e9db4b0bfb24e6b93dd3df4 SRPMS/libc-5.4.46-2.src.rpm Upgrade with the following commands: rpm -q libc-pthreads && rpm -e libc-pthreads rpm -q libc-devel-static && rpm -e libc-devel-static rpm -q libc-devel-profile && rpm -e libc-devel-profile rpm -q libc-devel-debug && rpm -e libc-devel-debug rpm -q libc-devel && rpm -e libc-devel rpm -U libc-5.4.46-2.i386.rpm Install any additional libc packages which you requirce with "rpm -i". IV. References This and other Caldera security resources are located at: http://www.caldera.com/news/security/index.html Additional documentation on this problem can be found in vendor-sec mailing list in Message-ID <19980707115557.26803@monad.swb.de>. This security fix closes Caldera's internal Problem Reports 4045 4049. V. PGP Signature This message was signed with the PGP key for security@caldera.com. This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1998.15.txt,v 1.3 1998/07/24 13:01:34 rf Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNbiFrun+9R4958LpAQFlqwP/QxpARTy/ZvFyqhZnKx0WepHdHUJpStbU ckLY+Z22i6blGDb2//Zh/lnL8MkegOK8jElSfU0SOVInTwsOmbJxSocyayaRHevf 4PL3QxsyNt5CBamLbtCddvaMhvMcnV7ZEpxVuOkuunFKRyeDQBLCd4UB/Id9ZOPE Ase0LbI/z/M= =mm6G -----END PGP SIGNATURE-----