-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.28: Security problems in DOSEmu. Topic: Secruity problems in DOSEmu Advisory issue date: August 7 1998 I. Problem Description From Chris Evans (edited): 1) In certain circumstances dosemu decides to mail stuff to root, ie. when an unauthroised user attempts to run DOSEMU. Interestingly, the method to send mail is using the system() library call. 2) When the -L (I think) flag is used, to specify a .dexe file to load, the parsing of this name is riddled with overruns. Luckily, the overruns are into buffers that are static rather than stack allocated. Also they seem to be bounded by other large variables, as I can't seem to crash DOSEMU by overflowing these with ~20-100k of junk. However if this is indeed a genuine overflow and it occurs when effective or saved uid = 0, then I still rate this as a critical security flaw. 3) The user may specify an alternative config file. The appears to be overflows parsing the "device /dev/blah" section for both serial and mouse devices. Severity as yet unassessed. II. Impact Description: Vulnerable Systems: OpenLinux 1.0, 1.1, & 1.2 systems using the dosemu package prior to dosemu-0.66.7-2. III. Solution Workaround: Correction: The proper solution is to upgrade to the dosemu-0.66.7-2 packages. They can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011/RPMS The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011/SRPMS The MD5 checksums (from the "md5sum" command) for these packages are: b0a8ac11fad2ee938cf2522788ca8866 RPMS/dosemu-0.66.7-2.i386.rpm 8fcceac498d075ee30a22ebb8b23f3c5 SRPMS/dosemu-0.66.7-2.src.rpm Upgrade with the following commands: rpm -q dosemu && rpm -U RPMS/dosemu-0.66.7-2.i386.rpm IV. References This and other Caldera security resources are located at: http://www.caldera.com/news/security/index.html Additional documentation on this problem can be found in: --- To: security-audit@ferret.lmh.ox.ac.uk, linux-msdos@vger.rutgers.edu Subject: DOSEMU security hassles? Message-ID: Date: Sun, 21 Jun 1998 17:37:42 +0100 (BST) --- This security fix closes Caldera's internal Problem Report 4048. V. PGP Signature This message was signed with the PGP key for security@caldera.com. This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1998.28.txt,v 1.3 1998/08/07 14:12:31 rf Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNcsLT+n+9R4958LpAQET7wP/Qoa+l8i9lhyFajYNOoVILRetml4lqL3C puuSIq18//F0E0lhxXIb//uK4DSin63t2ZtjsmSyytvunNbP2VmsCbQzEaGiJod7 WzZiJ+Uqulwn0ADILRVdBTYFFebqy+4YWG4yLOTAw4YhlcKQZ5fFzWtiT4U+le1v tGFL0dYkASs= =nb1g -----END PGP SIGNATURE-----