![[LWN Logo]](/images/lwn.banner.gif)
Date: Thu, 18 Feb 1999 20:54:52 -0800
From: William Deich <will@UCOLICK.ORG>
Subject: Re: BUGTRAQ Digest - 17 Feb 1999 to 18 Feb 1999 (#1999-45)
To: BUGTRAQ@NETSPACE.ORG
der Mouse wrote:
> Subject: Re: ISSalert: ISS Security Advisory: Buffer Overflow in "Super"
...
> Does anyone (who is willing to talk) know anything more about this?
> One site I work at has a version of super earlier than 3.9.6 installed,
> and the advisory neither states that any versions are *not* vulnerable
> (except, implicitly, 3.11.7) nor describes the vulnerability in enough
> detail for me to test our version.
>
Generally, super v3.9.6 - v3.11.6 contains two known buffer overflow
problems. The specific problem demonstrated by ISS X-Force to gain local
root access was not introduced until _after_ 3.9.6, but all versions in
that range had one problem or the other. (If you want complete details,
please email me. In the usual manner of buffer overflows, the exploit
is almost trivial if you know what to attack, so I'm not willing to
publish on bugtraq the exact line of the code where the problem occurs.)
Even you have an older version of super than 3.9.6, I urge you to upgrade,
because a quick perusal of the "WhatsNew" file in the package shows that
various other bugs -- not generally root-access bugs -- have been fixed
over the years. Note that 3.9.6 is already three years old; other
released versions go back to 1994 or so.
It turned out that the announcement of the local root exploit caused
more people to report more problems, and as a result super has had two
quick updates, and the current version of super is 3.11.9.
As usual, the home location is:
ftp.ucolick.org:/pub/users/will/super-3.11.9.tar.gz
Or, if you prefer to patch:
ftp.ucolick.org:/pub/users/will/super-3.11.6-3.11.9
ftp.ucolick.org:/pub/users/will/super-3.11.7-3.11.9
ftp.ucolick.org:/pub/users/will/super-3.11.8-3.11.9
These should shortly appear on the ftp.onshore.com mirror at
ftp.onshore.com:/pub/mirror/software/super/
Finally, one small correction to the X-Force announcement, which said that
super is gnu copyleft'd. Actually, you are permitted to redistribute it
and/or modify it under the terms of either the GNU license or Larry
Wall's "Artistic License"; take your pick. (I'm agnostic :-)
-Will
--
William Deich
UCO / Lick Observatory | Internet: will@ucolick.org
University of California | Phone: (831) 459-3913
Santa Cruz, CA 95064 | Fax: (831) 426-3115