SuSE alert: ypbind/ypclient

Posted by dave on Oct 18, 2000 9:22 AM EDT
Mailing list
Mail this story
Print this story

Security problems have been found in the client code of the NIS (Network Information System, aka yp - yellow pages) subsytem. SuSE distributions before SuSE-6.1 came with the original ypbind program, SuSE-6.2 and later included the ypbind-mt NIS client implementation. ypbind-3.3 (the earlier version) has a format string parsing bug if it is run in debug mode, and (discovered by Olaf Kirch <okir@caldera.de>) leaks file descriptors under certain circumstances which can lead to a DoS. In addition, ypbind-3.3 may suffer from buffer overflows. ypbind-mt, the software shipped with SuSE distributions starting with SuSE-6.2, suffers from a single format string parsing bug. Some of these bugs could allow remote attackers to execute arbitrary code as root. During code audit and testing it turned out that the ypbind-3.x software in the SuSE-6.1 distribution and earlier needs a major overhaul to make it work both reliable and secure with respect to errors in the code. Basically, this is what happened when Thorsten Kukuk <kukuk@suse.de> wrote ypbind-mt from scratch in 1998. For the same reason, we are currently unable to produce a working security update package which fixes the known and yet unknown (there may be more) problems in the ypclient packages in the SuSE-6.1 distribution and older. The only efficient workaround for the SuSE-6.1 distribution and older against these bugs for an untrusted, hostile environment is to upgrade to a new distribution base (SuSE-7.0 is recommended) and use the ypclient update packages for this distribution. As of today, there is no exploit known to exist in the wild.

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package: ypbind/ypclient
        Announcement-ID: SuSE-SA:2000:042
        Date: Wednesday, October 18th, 2000 19:15 MEST
        Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
        Vulnerability Type: possible remote root compromise
        Severity (1-10): 8
        SuSE default package: yes (starting with SuSE-6.4)
        Other affected systems: Linux systems using this NIS implementation

    Content of this advisory:
        1) security vulnerability resolved: ypbind/ypclient
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

    Security problems have been found in the client code of the NIS
    (Network Information System, aka yp - yellow pages) subsytem.
    SuSE distributions before SuSE-6.1 came with the original ypbind
    program, SuSE-6.2 and later included the ypbind-mt NIS client
    implementation. ypbind-3.3 (the earlier version) has a format
    string parsing bug if it is run in debug mode, and (discovered
    by Olaf Kirch <okir@caldera.de>) leaks file descriptors under
    certain circumstances which can lead to a DoS. In addition,
    ypbind-3.3 may suffer from buffer overflows.
    ypbind-mt, the software shipped with SuSE distributions starting
    with SuSE-6.2, suffers from a single format string parsing bug.
    Some of these bugs could allow remote attackers to execute
    arbitrary code as root.
    During code audit and testing it turned out that the ypbind-3.x
    software in the SuSE-6.1 distribution and earlier needs a major
    overhaul to make it work both reliable and secure with respect
    to errors in the code. Basically, this is what happened when
    Thorsten Kukuk <kukuk@suse.de> wrote ypbind-mt from scratch in 1998.
    For the same reason, we are currently unable to produce a working
    security update package which fixes the known and yet unknown (there
    may be more) problems in the ypclient packages in the SuSE-6.1
    distribution and older.
    The only efficient workaround for the SuSE-6.1 distribution and older
    against these bugs for an untrusted, hostile environment is to upgrade
    to a new distribution base (SuSE-7.0 is recommended) and use the
    ypclient update packages for this distribution.
    As of today, there is no exploit known to exist in the wild.

    For SuSE-6.2 and later distributions we provide update packages as
    listed below. We recommend to download and install these packages
    on systems that are NIS/yp clients.
    Please note that the sources for the ypclient package are contained
    within the ypserv source rpm.

    Download the update package from locations described below and install
    the package with the command `rpm -Uhv file.rpm'. The md5sum for each
    file is in the line below. You can verify the integrity of the rpm
    files using the command
        `rpm --checksig --nogpg file.rpm',
    independently from the md5 signatures below.

    i386 Intel Platform:

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/ypclient-3.5-89.i386.rpm
      76e4e7f60791db16c5e36fb5dbf60b65
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/ypserv-1.3.11-89.src.rpm
      e2b1dccaec003f54e4ebbdef84d99a10

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/ypclient-3.4-95.i386.rpm
      e485ea27264fb9c4f890cdf7605ffa30
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/ypserv-1.3.11-95.src.rpm
      c61c6df2ba1fef2369406b2dcbcd25f1

    SuSE-6.3
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/ypclient-3.4-95.i386.rpm
      c1a10cc0a3f72242b136be921f9ae0c1
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/ypserv-1.3.11-95.src.rpm
      6f47a880d5e7175dc2b5ff0116d7de4d

    SuSE-6.2
    ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/ypclient-3.4-95.i386.rpm
      9050e63cb9f7fac4997968760292a6f1
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/ypserv-1.3.11-95.src.rpm
      7ecfaffd8cdb68f73adfd1d6fd27ed39

    SuSE-6.1 and older:
    Please see the problem description above.

    Sparc Platform:

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/ypclient-3.5-89.sparc.rpm
      1a38d25c8647f010e2a9879f28de4adf
    source rpm:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/ypserv-1.3.11-89.src.rpm
      6ba9200e49210f98ca845107b034b981

    AXP Alpha Platform:

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/ypclient-3.4-95.alpha.rpm
      6aea95ca27245eb3df72da7596af3321
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/ypserv-1.3.11-95.src.rpm
      a4bf635b9ee4bdefc29b7e6e1cf0cf41

    SuSE-6.3
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/ypclient-3.4-95.alpha.rpm
      b68f8690b7dc554ac9098c83f9c633cd
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/ypserv-1.3.11-95.src.rpm
      ef0a026d078847d0958118bbbc46b99e

    PPC Power PC Platform:

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/ypclient-3.4-95.ppc.rpm
      26080b1443a3daa1de64c876ae36e6f2
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/ypserv-1.3.11-95.src.rpm
      4f0904d73c98c8b9737d5ac34b7a4dd5

______________________________________________________________________________

2) Pending vulnerabilities in SuSE Distributions and Workarounds:

    Another security announcement is following this advisory.
______________________________________________________________________________

3) standard appendix:

    SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        - general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
        - SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

    ===============================================
    SuSE's security contact is <security@suse.com>.
    ===============================================

Regards,
Roman Drahtmüller.
- - --
 - -
| Roman Drahtmüller <draht@suse.de> // "Caution: Cape does |
  SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
 - -
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way.
    SuSE GmbH makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBOe3b5Hey5gA9JdPZAQHOngf9G0Rn/snskVaDJ3uKXuBiR8n0K8gvCFLe
00BXSE0X1X11rKrnumP7oFzOOby0A69R8n/tm4jFrODuxBep7qVkUtd5Br5uk2Vj
qMeSe+AcA3BVib1qOiacgz4YnZo96BvUBtDR/XhVxBgq+C7JWu4hxY4tsvyiYqOw
w/HN8KKf2W5t90TUbEap26hcjNQGC2dqTqdo3ERKCraKPJc4/omzF23yadlyYKfk
7yL7XGGop6zISP94CNjd0xVfAORsuvcj6Y5MI9RETEk4+W5G6sqqpUDX2FoTtdUB
LxFyIu5zRuIbrUi/ZpGTjDMm7k70zli9TsnEtdPCu3asvJInRrTRqA==
=kwtV
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.0 : Mon Jun 04 2001 - 18:25:15 PDT

  Nav
» Read more about: Story Type: Security; Groups: SUSE

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.