Date: Thu, 2 Sep 1999 17:37:25 -0600 (MDT) From: Dan Burcaw <dburcaw@terraplex.com> To: lwn@lwn.net, dave@linuxtoday.com Subject: SECURITY: inn The Yellow Dog Linux Security Team has just released an updated version of inn which fixes a recently discovered security problem in inews. Package: inn Date: September 2, 1999 Problem: INN versions 2.2 and earlier have a buffer overflow-related security condition in the inews program. inews is a program used to inject new postings into the news system. It is used by many news reading programs and scripts. The default installation is with inews setgid to the news group and world executable. It's possible that exploiting the buffer overflow could give the attacker news group priviledges, which could possible be extended to root access. Note that this chain of elevation of privileges is theoretical rather than actual; the ability of an attacker to do this indicates bugs in other portions of INN. However, given the degree to which INN trusts the news user and news group, it's not unlikely that such bugs exist. No case of this being exploited has been shown yet. If you run a news server with no local readers (i.e. all your clients are remote) then you can remove the setgid-bit on inews. chmod 0550 inews The rnews program, used to feed news via uucp, is setuid to the uucp user. No buffer overflow problems have been found in rnews, but if you don't run uucp on your machine, then we recommend disabiling the setuid bit on rnews: chown news rnews chgrp news rnews chmod 0550 rnews Thanks go to the members of the BUGTRAQ mailing list for bringing this issue to our attention. We recommend that all Yellow Dog users which have installed the inn software upgrade to this fixed version. Urgency: MEDIUM Solution: rpm -Uvh <file> ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.1/RPMS/inews-2.2.1-1.ppc.rpm ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.1/RPMS/inn-2.2.1-1.ppc.rpm ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.1/RPMS/inn-devel-2.2.1-1.ppc.rpm Here is the md5 checksum of the updated package. Please verify these before installing the new package by running: md5sum <file> db707dae6df795052069df6f95312b62 RPMS/inews-2.2.1-1.ppc.rpm 52945314b2ecab334ddb8453e64db21a RPMS/inn-2.2.1-1.ppc.rpm fa5b8da8b382be47992736602c1feebc RPMS/inn-devel-2.2.1-1.ppc.rpm Users of Champion Server 1.0 can also, and are strongly advised to upgrade to this version of am-utils. More information can be found from our errata page at: http://www.yellowdoglinux.com/resources/errata_cs11.shtml