Buffer Overflow in "Super" package in Debian Linux

To: tclug-list@listserv.real-time.com
Subject: Buffer Overflow in "Super" package in Debian Linux
From: Bob Tanner <tanner@real-time.com>
Date: Tue, 16 Feb 1999 00:58:29 -0600
Mail-Followup-To: tclug-list@listserv.real-time.com

Debian users of linux.

> ISS Security Advisory
> February 15, 1999
> 
> Buffer Overflow in "Super" package in Debian Linux
> 
> 
> Synopsis:
> 
> Internet Security Systems (ISS) X-Force has discovered a vulnerability in
> the system administration utility, "Super".  Super is used by 
> administrators to allow certain users to execute commands with root
> privileges.  The vulnerability is distributed with Debian Linux.  It may
> allow local attackers to compromise root access.  Super is a GNU
> copylefted package that is distributed with recent Debian Linux
> distributions, but it can be installed and configured for many Unix
> variants.  
> 
> 
> Affected versions:
> 
> ISS X-Force has determined that version 3.9.6 through version 3.11.6 are
> vulnerable.  All versions of Super distributed with Debian Linux are
> vulnerable.  Execute the following command to determine version
> information:
> 
> # /usr/bin/super -V
> 
> 
> Fix Information:
> 
> Super 3.11.7 is available at:
> ftp.ucolick.org:/pub/users/will/super-3.11.7.tar.gz
> 
> The new version of Super will be available soon on the mirror:
> ftp.onshore.com:/pub/mirror/software/super
> 
> Please refer to these locations for fixes which are included in
> Super version 3.11.7.
> 
> Description:
> 
> Super is a utility that allows authorized users to execute commands with
> root privileges.  It is intended to be an alternate to setuid scripts,
> which are inherently dangerous.  A buffer overflow exists in Super that
> may allow attackers to take advantage of its setuid configuration to gain
> root access.
> 
> 
> Recommended Action:
> 
> Version 3.11.7 should be installed immediately. Administrators should 
> take care to disable setuid root utilities that are not used by regular 
> users.  To disable Super permanently, execute the following command 
> as root to disable the setuid bit:
> 
> # chmod 755 /usr/bin/super
> 
> __________
> 
> Copyright (c) 1999 by Internet Security Systems, Inc.
> 
> Permission is hereby granted for the redistribution of this alert
> electronically.  It is not to be edited in any way without express
> consent of X-Force.  If you wish to reprint the whole or any part of this
> alert in any other medium excluding electronic medium, please e-mail
> xforce@iss.net for permission.
> 
> Disclaimer:
> 
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
> are NO warranties with regard to this information. In no event shall the
> author be liable for any damages whatsoever arising out of or in
> connection with the use or spread of this information. Any use of this
> information is at the user's own risk.
> 
> X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html,
> as well as on MIT's PGP key server and PGP.com's key server.
> 
> X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
> 
> Please send suggestions, updates, and comments to: X-Force
> <xforce@iss.net> of Internet Security Systems, Inc.
> 
-- 
Bob Tanner <tanner@real-time.com>       | Phone : (612)943-8700
http://www.real-time.com                | Fax   : (612)943-8500
Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9

Prev by Date: contrib.redhat.com FINALLY
Next by Date: Re: [TCLUG:4202] Windows Refund Day?
Prev by thread: Re: [TCLUG:4204] contrib.redhat.com FINALLY
Next by thread: Re: [TCLUG:4202] Windows Refund Day?
Index(es):
- Date
- Thread