a Patches available for Taylor UUCP

Contributed by webmaster on 2001-09-12 from the security dept.

Patch 015 has been released for OpenBSD 2.9. This patch addresses a vulnerability discovered by zen-parse and posted to BUGTRAQ on September 8. Since errata.html hasn't been updated yet, I will quote from the original BUGTRAQ advisory :

Due to incorrect argument handling in a component of the Taylor UUCP package, it is possible for local users to gain uid/gid uucp.
This may allow further elevation, depending on the system, up to and including root access.
On OpenBSD 2.8 (and probably others) it allows root compromise. By overwriting the uucp owned program /usr/bin/uustat, arbitrary commands may be executed as part of the /etc/daily crontab script.
On Redhat 7.0 (and probably others) it allows creation of empty files as root, and the ability to execute commands as if logged in at the console (as checked via /lib/security/pam_console.so). This may also allow further elevation of privileges, or denial of service. (Tested against uucp-1.06.1-25)
Other systems running this package are also affected to a greater or lesser degree.

A Patch has also been released for systems running 2.8.

(Comments are closed)

Comments

By The Late JC () foo@bar.com on 2001-09-12 14:09 none

Zen-parse is on pulltheplug.com and he lives in New Zealand. He likes Stabbing Westward.
By Niekze () niekze@yahoo.com on 2001-09-12 15:36 http://www.nothingkillsfaster.com

The patch suggests replacing /etc/daily with /usr/src/src/daily. There is no /usr/src/src directory in my source tree. There is a usr/src/etc/daily which, when given a diff, yields changes that reflect uucp. So, it appears that it was a mistake. do a diff on /etc/daily and /usr/src/etc/daily and you will see that it appears to be the file that needs updating.

Latest Articles

Fri, Apr 26
- 08:33 Passphrase timeout for disk decryption at boot added (potential battery lifesaver) (1)
Wed, Apr 24
- 04:35 Game of Trees 0.98 released (2)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]