d/yd-inn

Date: Thu, 2 Sep 1999 17:37:25 -0600 (MDT)
From: Dan Burcaw <dburcaw@terraplex.com>
To: lwn@lwn.net, dave@linuxtoday.com
Subject: SECURITY: inn 


The Yellow Dog Linux Security Team has just released an updated
version of inn which fixes a recently discovered security
problem in inews.

Package: inn
Date: September 2, 1999
Problem:                       
INN versions 2.2 and earlier have a buffer overflow-related security
condition in the inews program. 

inews is a program used to inject new postings into the news system. It is
used by many news reading programs and scripts. The default installation
is with inews setgid to the news group and world executable. It's possible
that exploiting the buffer overflow could give the attacker news group
priviledges, which could possible be extended to root access. 

Note that this chain of elevation of privileges is theoretical rather than
actual; the ability of an attacker to do this indicates bugs in other
portions of INN. However, given the degree to which INN trusts the news
user and news group, it's not unlikely that such bugs exist. 
                         
No case of this being exploited has been shown yet. 
                         
If you run a news server with no local readers (i.e. all your clients are
remote) then you can remove the setgid-bit on inews. 

  chmod 0550 inews 
                         
The rnews program, used to feed news via uucp, is setuid to the uucp user.
No buffer overflow problems have been found in rnews, but if you don't run
uucp on your machine, then we recommend disabiling the setuid bit on
rnews: 
                         
  chown news rnews chgrp news rnews chmod 0550 rnews 
                         
Thanks go to the members of the BUGTRAQ mailing list for bringing this
issue to our attention. 

We recommend that all Yellow Dog users which have installed the inn
software upgrade to this fixed version. 

Urgency: MEDIUM
Solution: rpm -Uvh <file>

ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.1/RPMS/inews-2.2.1-1.ppc.rpm
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.1/RPMS/inn-2.2.1-1.ppc.rpm
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.1/RPMS/inn-devel-2.2.1-1.ppc.rpm

Here is the md5 checksum of the updated package. Please verify these
before installing the new package by running: md5sum <file> 

db707dae6df795052069df6f95312b62  RPMS/inews-2.2.1-1.ppc.rpm
52945314b2ecab334ddb8453e64db21a  RPMS/inn-2.2.1-1.ppc.rpm
fa5b8da8b382be47992736602c1feebc  RPMS/inn-devel-2.2.1-1.ppc.rpm

Users of Champion Server 1.0 can also, and are strongly advised to upgrade
to this version of am-utils.

More information can be found from our errata page at: 
http://www.yellowdoglinux.com/resources/errata_cs11.shtml