[LWN Logo]

Date:         Fri, 27 Aug 1999 23:43:53 +0200
From:         brister@VIX.COM
Subject:      INN inews vulnerability
To:           BUGTRAQ@SECURITYFOCUS.COM

INN versions 2.2 and earlier have a buffer overflow-related security
condition in the inews program.

inews is a program used to inject new postings into the news system.
It is used by many news reading programs and scripts. The default
installation is with inews setgid to the news group and world
executable. It's possible that exploiting the buffer overflow could
give the attacker news group privileges, which could possibly be
extended to root access.

No case of this being exploited has been shown yet.

If you run a news server with no local readers (i.e. all your
clients are remote) then you can remove the setgid-bit on inews.

        chmod 0550 inews

The rnews program, used to feed news via uucp, is setuid to the
uucp user.  No buffer overflow problems have been found in rnews,
but if you don't run uucp on your machine, then we recommend
disabling the setuid bit on rnews:

        chown news rnews
        chgrp news rnews
        chmod 0550 rnews

A fuller description can be found at

        http://www.isc.org/view.cgi?products/INN/inn2.2.vulnerability.phtml

The latest INN version 2.2.1

        ftp://ftp.isc.org/isc/inn/inn-2.2.1.tar.gz

has the buffer overflow problem fixed. Upgrading is recommended,
if you cannot disable the inews setgid bit.

James
--
James Brister                                            brister@vix.com
Internet Software Consortium