[LWN Logo]
[Timeline]
Date: Mon, 29 Jan 2001 13:23:08 -0700
From: Caldera Support Info <sup-info@locutus4.calderasystems.com>
To: announce@lists.calderasystems.com, bugtraq@securityfocus.com,
Subject: CSSA-2001-008.0 BIND buffer overflow


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		BIND buffer overflow
Advisory number: 	CSSA-2001-008.0
Issue date: 		2001 January, 29
Cross reference:
______________________________________________________________________________


1. Problem Description

   Several security problems have been discovered in the most recent
   versions of BINDv8 (8.2.2p7). One of them is a buffer overflow that
   can potentially exploited to execute arbitrary code with the privilege
   of the bind user.

   If you do not run the BIND named server, you are not affected
   by this problem.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3		All packages previous to
   				bind-8.2.3

   OpenLinux eServer 2.3.1      All packages previous to
   and OpenLinux eBuilder  	bind-8.2.3

   OpenLinux eDesktop 2.4       All packages previous to
   				bind-8.2.3

3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

   As a matter of caution, we also suggest that you run the name
   server process under a non-root user ID. In case of future
   security holes in bind, this makes sure that remote attackers
   do not immediately obtain root access.

   Be warned however that when running the name server process
   under a non-root uid it loses the ability to automatically
   re-bind itself when you change the address of a network
   interface, or create a new one. If you do that, you need
   to manually restart named in this case.

   On eDesktop 2.4, named already runs under the "bind" account by
   default; this is not the case on OpenLinux 2.3 and eServer 2.3.1,
   however.

   Here's what to do:

   a.	Create a new user and group named `bind'.
	Pick an unused user and group ID (on a normal OpenLinux
	installation, uid and gid 19 should be available).
	Run the following commands as super user, replacing
	<uid> and <gid> by the user and group IDs you selected:

	# groupadd -g <gid> bind
	# useradd -u <uid> -g <gid> -d / -s /bin/false bind

   b.	Change the ownership of /var/named to bind.bind:

	# chown -R bind.bind /var/named
	
   c.	Edit /etc/sysconfig/daemons/named. Replace the line

		OPTIONS=""

	with

		OPTIONS="-u bind"

	This makes sure that the name server process relinquishes
	root privilege after initialization.

   d.	Stop and restart your name server:

	# /etc/rc.d/init.d/named stop
	# /etc/rc.d/init.d/named start

   	Note that simply issuing /etc/rc.d/init.d/named restart
	will not be enough!

4. OpenLinux 2.3

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:
        
       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

   4.2 Verification

   01f9c6b514ab5aa70c3fe200c0c97243  RPMS/bind-8.2.3-1.i386.rpm
   89ed56545ee05e8adf81775b2754afd0  RPMS/bind-doc-8.2.3-1.i386.rpm
   41b9707056286325f4da4f45c0547b27  RPMS/bind-utils-8.2.3-1.i386.rpm
   9ae6f304f9dd7a63aa291ed143fa4035  SRPMS/bind-8.2.3-1.src.rpm

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv bind-*i386.rpm
	  /etc/rc.d/init.d/named stop
	  /etc/rc.d/init.d/named start

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

   f454346c9bf531d6e9aa014d2be93e99  RPMS/bind-8.2.3-1.i386.rpm
   33a4e0f2ff622ea60e920c189b48af00  RPMS/bind-doc-8.2.3-1.i386.rpm
   a786125567471a7bd42544e104977d15  RPMS/bind-utils-8.2.3-1.i386.rpm
   9ae6f304f9dd7a63aa291ed143fa4035  SRPMS/bind-8.2.3-1.src.rpm

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fvh bind-*i386.rpm
	  /etc/rc.d/init.d/named stop
	  /etc/rc.d/init.d/named start

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

   acd707632ae0e33432b5d37862265517  RPMS/bind-8.2.3-1.i386.rpm
   679d55e150b0bc8de0828db076e8594b  RPMS/bind-doc-8.2.3-1.i386.rpm
   a2b1b9764e884f4b1ed2b77e222a6755  RPMS/bind-utils-8.2.3-1.i386.rpm
   9ae6f304f9dd7a63aa291ed143fa4035  SRPMS/bind-8.2.3-1.src.rpm

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fvh bind-*i386.rpm
	  /etc/rc.d/init.d/named stop
	  /etc/rc.d/init.d/named start

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

   Additional information on this bug can be found at

   http://www.cert.org/advisories/CA-2001-02.html

   This security fix closes Caldera's internal Problem Report 8942.

8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6dZNJ18sy83A/qfwRAms9AKCczcSiZJz9nJnBlYuq2YpyTNMk+wCcDuw4
nXLAYCpd8AYXn+v6MXpCVSQ=
=kbGF
-----END PGP SIGNATURE-----