Date: 24 November 2000
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2000.369 -- RHSA-2000:115-01
New ncurses packages fixing buffer overrun available
24 November 2000
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ncurses
Vendor: Red Hat
Operating System: Red Hat Linux
Linux
Impact: Increased Privileges
Access Required: Local
- --------------------------BEGIN INCLUDED TEXT--------------------
- ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: New ncurses packages fixing buffer overrun available
Advisory ID: RHSA-2000:115-01
Issue date: 2000-11-23
Updated on: 2000-11-23
Product: Red Hat Linux
Keywords: ncurses buffer overrun exploit setuid
Cross references: N/A
- ---------------------------------------------------------------------
1. Topic:
If you are any setuid applications that use ncurses and its cursor movement
functionality, local users may gain access to the program's privileges.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386, alpha, sparc
Red Hat Linux 6.2EE - i386, alpha, sparc
Red Hat Linux 7.0 - i386
3. Problem description:
There used to be an overflowable buffer in the part of the ncurses library
handling cursor movement.
Attackers can force a privileged application to use their own termcap file
containing a special terminal entry which will trigger the ncurses
vulnerability, allowing them to execute arbitrary code with the privileges
of the exploited binary.
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
20809 - ncurses allows local privilege escalation
6. RPMs required:
Red Hat Linux 6.2:
alpha:
ftp://updates.redhat.com/6.2/alpha/ncurses-5.0-12.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/ncurses-devel-5.0-12.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/ncurses-5.0-12.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/ncurses-devel-5.0-12.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/ncurses-5.0-12.i386.rpm
ftp://updates.redhat.com/6.2/i386/ncurses-devel-5.0-12.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/ncurses-5.0-12.src.rpm
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/i386/ncurses-5.2-2.i386.rpm
ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm
sources:
ftp://updates.redhat.com/7.0/SRPMS/ncurses-5.2-2.src.rpm
7. Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
268df5613b61b146b8cae1c59369c0b7 6.2/SRPMS/ncurses-5.0-12.src.rpm
1decbd07374fd9fb7ae5a12641d2667b 6.2/alpha/ncurses-5.0-12.alpha.rpm
ed52d2bad06cee2cec081bb889a5e363 6.2/alpha/ncurses-devel-5.0-12.alpha.rpm
d401a0317132c114a75dfeefb881f66c 6.2/i386/ncurses-5.0-12.i386.rpm
bc84ee23b1b8f960a0911a5388c52d24 6.2/i386/ncurses-devel-5.0-12.i386.rpm
654eca10b3b44afef783c39da3b254dc 6.2/sparc/ncurses-5.0-12.sparc.rpm
e273dd6e88899781bcc7441e7505de5c 6.2/sparc/ncurses-devel-5.0-12.sparc.rpm
4444a46c15c28db246b191daf4f3dfde 7.0/SRPMS/ncurses-5.2-2.src.rpm
9affe6c75ae33d616ea695766c10e44e 7.0/i386/ncurses-5.2-2.i386.rpm
a555ec460de5650c4a2c42abc5de838c 7.0/i386/ncurses-devel-5.2-2.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
8. References:
N/A
Copyright(c) 2000 Red Hat, Inc.
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOlSNWyh9+71yA2DNAQHsqAQAnFn06e6OzfkMjBlBuH1sxHLyLhv/QseW
qT1+Y654x1BCENvxnuY+VyWRlEY7EQ51LEEiaD9T8izokGHbR3Wdt1s+5xPTc3Py
J9U1kgYMSiC3AM0HzVPQxMqD/AnsW8wHYdswz0e+/IrwMvJCiFkCvjM6ogyMcvel
Br/uuKecik8=
=Nvoh
-----END PGP SIGNATURE-----
|