Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.291 -- Red Hat, Inc. Security Advisory traceroute setuid root exploit with multiple -g options 17 October 2000 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: traceroute Vendor: Red Hat Operating System: Red Hat Linux Linux Impact: Root Compromise Denial of Service Access Required: Local - --------------------------BEGIN INCLUDED TEXT-------------------- - --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: traceroute setuid root exploit with multiple -g options Advisory ID: RHSA-2000:078-02 Issue date: 2000-10-06 Updated on: 2000-10-06 Product: Red Hat Linux Keywords: traceroute setuid root exploit Cross references: N/A - --------------------------------------------------------------------- 1. Topic: a root exploit and several additional bugs in traceroute have been corrected. 2. Relevant releases/architectures: Red Hat Linux 5.0 - i386, alpha, sparc Red Hat Linux 5.1 - i386, alpha, sparc Red Hat Linux 5.2 - i386, alpha, sparc Red Hat Linux 6.0 - i386, alpha, sparc Red Hat Linux 6.1 - i386, alpha, sparc Red Hat Linux 6.2 - i386, alpha, sparc 3. Problem description: A root exploit due to a segfault when using multiple -g options is fixed for Red Hat Linux 6.x and Red Hat Linux 5.x. A potential denial-of-service attack is alleviated by enforcing a maximum buffer size of 64Kb. On Red Hat Linux 6.x, loose source routing (LSRR) now works correctly. 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 18466 - traceroute: local root exploit now exists 13466 - segfault while parsing multiple -g arguments 15917 - Maksimum packetlength checked badly (Local DoS) 16281 - traceroute LSRR broken 6. RPMs required: Red Hat Linux 5.x: alpha: ftp://updates.redhat.com/5.2/alpha/traceroute-1.4a5-24.5x.alpha.rpm sparc: ftp://updates.redhat.com/5.2/sparc/traceroute-1.4a5-24.5x.sparc.rpm i386: ftp://updates.redhat.com/5.2/i386/traceroute-1.4a5-24.5x.i386.rpm sources: ftp://updates.redhat.com/5.2/SRPMS/traceroute-1.4a5-24.5x.src.rpm Red Hat Linux 6.x: alpha: ftp://updates.redhat.com/6.2/alpha/traceroute-1.4a5-24.6x.alpha.rpm sparc: ftp://updates.redhat.com/6.2/sparc/traceroute-1.4a5-24.6x.sparc.rpm i386: ftp://updates.redhat.com/6.2/i386/traceroute-1.4a5-24.6x.i386.rpm sources: ftp://updates.redhat.com/6.2/SRPMS/traceroute-1.4a5-24.6x.src.rpm 7. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- 1fe1fb918271526d5d4e22046f1da776 5.2/SRPMS/traceroute-1.4a5-24.5x.src.rpm 25a92211082e65df9f89fd71ac7a6888 5.2/alpha/traceroute-1.4a5-24.5x.alpha.rpm 2fc1c66152f3fbd723b695472aadc0a6 5.2/i386/traceroute-1.4a5-24.5x.i386.rpm d60c337c3fa3d23ba2c1cde082c8fee5 5.2/sparc/traceroute-1.4a5-24.5x.sparc.rpm 9fc2151d7cca01185add0ed085efcde0 6.2/SRPMS/traceroute-1.4a5-24.6x.src.rpm f279d9e415a7d806daae86e8112fe8c6 6.2/alpha/traceroute-1.4a5-24.6x.alpha.rpm 49bd824f9f4784ce9c45fa54285c7aa0 6.2/i386/traceroute-1.4a5-24.6x.i386.rpm 498a1e08221e1d9e0115edb7f34ecef9 6.2/sparc/traceroute-1.4a5-24.6x.sparc.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 8. References: Thanks to Pekka Savola <pekkas@netcore.fi> for discovering the flaw. See http://www.securityfocus.com/archive/1/136215 for a complete summary of the flaw. Copyright(c) 2000 Red Hat, Inc. - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOlSNAyh9+71yA2DNAQGVIgP+PIoXKU2qxJZ/bAK6EtWydZtE+F/G1J7v AkR5p9IkXz8f5yd5MrOrKgWdMP07ZVmPnUnXpZ7nFAU4/YJPkMlc0WV2kioBLL98 w7++0l0zxJ6IWEFlfjW64X2STFjMx2b9t0BZPgUdTdVbDym+uHoYMH8JMxRt4VlR XInWkCu9EUM= =qLai -----END PGP SIGNATURE-----