---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: Buffer overflow in mars_nwe
Advisory ID: RHSA-1999:037-01
Issue date: 1999-09-13
Updated on:
Keywords: mars_nwe buffer
Cross references:
---------------------------------------------------------------------
1. Topic:
There are several buffer overruns in the mars_nwe package.
2. Bug IDs fixed (http://developer.redhat.com/bugzilla for more info):
5002
3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures
Red Hat Linux 4.2, 5.2 Intel
(mars_nwe was not built for Alpha and Sparc in previous
versions of Red Hat Linux.)
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Red Hat Linux 4.2:
Intel:
ftp://updates.redhat.com//4.2/i386/mars-nwe-0.99pl17-0.4.2.i386.rpm
Source packages:
ftp://updates.redhat.com//4.2/SRPMS/mars-nwe-0.99pl17-0.4.2.src.rpm
Red Hat Linux 5.2:
Intel:
ftp://updates.redhat.com//5.2/i386/mars-nwe-0.99pl17-0.5.2.i386.rpm
Source packages:
ftp://updates.redhat.com//5.2/SRPMS/mars-nwe-0.99pl17-0.5.2.src.rpm
Red Hat Linux 6.0:
Intel:
ftp://updates.redhat.com//6.0/i386/mars-nwe-0.99pl17-4.i386.rpm
Alpha:
ftp://updates.redhat.com//6.0/alpha/mars-nwe-0.99pl17-4.alpha.rpm
Sparc:
ftp://updates.redhat.com//6.0/sparc/mars-nwe-0.99pl17-4.sparc.rpm
Source packages:
ftp://updates.redhat.com//6.0/SRPMS/mars-nwe-0.99pl17-4.src.rpm
7. Problem description:
Buffer overflows are present in the mars_nwe package. Since
the code that contains these overflows is run as root, a
local root compromise is possible if users create carefully
designed directories and/or bindery objects.
A sample exploit has been made available.
Thanks go to Przemyslaw Frasunek (secure@freebsdf.lublin.pl)
and Babcia Padlina Ltd. for noting the problem and providing
a patch.
8. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
9. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
350882fd246344891f04d7419561eb8f i386/mars-nwe-0.99pl17-0.4.2.i386.rpm
99134c2f507c906483320b9748b6334c SRPMS/mars-nwe-0.99pl17-0.4.2.src.rpm
2dd6f7cf55f8ed68ba40b9d98a91adaf i386/mars-nwe-0.99pl17-0.5.2.i386.rpm
e3d918c4e52ef051d169d7380e4d8cfe SRPMS/mars-nwe-0.99pl17-0.5.2.src.rpm
adbd809d9de3d22fed637bcf56ede66f i386/mars-nwe-0.99pl17-4.i386.rpm
729f888a3c1ebb87bcf04c204bf7b9dc alpha/mars-nwe-0.99pl17-4.alpha.rpm
bf73f67c225c2edce4d7ee52b5796803 sparc/mars-nwe-0.99pl17-4.sparc.rpm
b9c61129b2e04d25c48863ededc35568 SRPMS/mars-nwe-0.99pl17-4.src.rpm
These packages are PGP signed by Red Hat Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp <filename>
10. References:
Bugtraq ID: 617
<19990830200449.54656.qmail@lagoon.FreeBSD.lublin.pl>
