[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] man bugs
- To: linux-security
- Subject: [linux-security] man bugs
- From: Martin Siegert <siegert@sfu.ca>
- Date: Thu, 14 Jun 2001 17:08:04 -0700
- User-Agent: Mutt/1.2.5i
Topic
=====
a) RedHat's man package has a heap overrun.
b) Debian's man-db package allows a symlink attack.
Problem Description
===================
a) A buffer size was calculated incorrectly in man.c. This bug can be exploited
to gain gid man priviledges, which in turn may be used to gain root
priviledges.
b) A bug in man-db can be abused to gain priviledges of the user "man".
Affected Systems
================
a) RedHat 6.x, 7.0 (7.1 is not affected)
b) Debian
Workaround
==========
a) # chmod g-s /usr/bin/man
b) # suidregister /usr/lib/man-db/man root root 0755
# suidregister /usr/lib/man-db/mandb root root 0755
Solution
========
RedHat 6.x
----------
rpm -Fvh man-1.5i-0.6x.1.i386.rpm mktemp-1.5-2.1.6x.i386.rpm
RedHat 7.0
----------
rpm -Fvh man-1.5i-4.i386.rpm
Debian 2.2 (potato)
-------------------
upgrade to man-db_2.3.16-4_i386.deb