-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory SA-1997.13: Vulnerability in the "abuse"

Caldera Security Advisory SA-1997.13
Original report date:  15-Jul-1997
RPM build date:        29-Jul-1997
Original issue date:   19-Aug-1997

Topic:  Vulnerability in the game "abuse"

I.  Problem Description

  There is a security vulnerability which installs the game abuse,
  /usr/lib/games/abuse/abuse.console suid root.  The abuse.console
  program loads its files without absolute pathnames, assuming the
  user is running abuse from the /usr/lib/games/abuse directory.
  One of these files is the undrv program, which abuse executes
  as root.  If the user is not in the abuse directory when running
  this, an arbitrary program can be substituted for undrv, allowing
  the user to execute arbitrary commands as root

II.  Impact

  An unprivileged user can execute commands as root, or open a shell
  as root.

  Abuse was distributed on the following OpenLinux releases:
    CND 1.0
    Base 1.0
    Lite 1.1
    Base 1.1
    Standard 1.1

  To determine if you are effected and need this update you may do
  the following:
    rpm -q abuse
  If the results show abuse-1.10-1 then you will need to update.

 III. Solution
  
  As a temporary workaround, you can remove the suid bit from
  abuse (chmod -s /usr/lib/games/abuse/abuse.console).  This
  will fix the problem, but will render the abuse.console game
  unusable to anyone except root.

  A better solution is to install the new abuse-1.10-2 package
  that contains the fixed version of abuse.  It can be found
  on Caldera/s FTP server. (ftp.caldera.com):
  
  /pub/openlinux/updates/1.1/current/RPMS/abuse-1.10-2.i386.rpm

  Source files are also available at:

  /pub/openlinux/updates/1.1/current/SPMS/abuse-1.10-2.src.rpm
  
  The MD5 checksums (from the "md5sum" command) for these packages
  are:
  
  dcfb1fc36d12f1dff9b137a96e0a92fd  RPMS/abuse-1.10-2.i386.rpm
  7ef5241a09f955bb7fe16abca716afac  SRPMS/abuse-1.10-2.src.rpm

  Changes in abuse-1.10-2 were:
  * remove the setuid bit from /usr/lib/games/abuse/abuse.console
  * added a secure setsuid wrapper /usr/games/abuse

  CND will need to upgrade to a newer version of the RPM tool to
  install this package.  See:

  ftp://ftp.caldera.com/pub/cnd-1.0/updates/rpm-upgrade.README

IV.  References / Credits

  David Meltzer <davem@cmu.edu>

        http://www.reptile.net/linux/abuse-exploit.txt

  This advisory closes Caldera's internal bug report #801

V. PGP Signature

  This message was signed with the PGP key for <security@caldera.com>.

  This key can be obtained from:
    ftp://ftp.caldera.com/pub/pgp-keys/

  Or on an OpenLinux CDROM under:
    /OpenLinux/pgp-keys/

  $Id: SA-1997.13,v 1.1 1997/08/19 16:08:52 ron Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBM/nFZen+9R4958LpAQEmWAP9FGNHciZ0Suv0BIawlutzSpS09Vvamt3P
FhTZuGifVSKV8jWjDx3Z+zBcntiCEgWeqPMffgg5qupwrEa3PMdxJi3gC0FBpe6Z
SIDNa2ZwDbgJKjoerYC8SmeCmIzQM1zIjXx2k5gX7YUVO49i7ebcp2EjIDmW+CaP
ch2kg08waOM=
=6BAf
-----END PGP SIGNATURE-----