4257916 1999-08-29  07:10  /54 rader/ Postmaster
Mottagare: Bugtraq (import) <7511>
Ärende: INN inews vulnerability
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID:  <14279.1624.776848.500278@velo.jab.fr>
Date:         Fri, 27 Aug 1999 23:43:53 +0200
Reply-To: brister@VIX.COM
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: brister@VIX.COM
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

INN versions 2.2 and earlier have a buffer overflow-related security
condition in the inews program.

inews is a program used to inject new postings into the news system.
It is used by many news reading programs and scripts. The default
installation is with inews setgid to the news group and world
executable. It's possible that exploiting the buffer overflow could
give the attacker news group privileges, which could possibly be
extended to root access.

No case of this being exploited has been shown yet.

If you run a news server with no local readers (i.e. all your
clients are remote) then you can remove the setgid-bit on inews.

        chmod 0550 inews

The rnews program, used to feed news via uucp, is setuid to the
uucp user.  No buffer overflow problems have been found in rnews,
but if you don't run uucp on your machine, then we recommend
disabling the setuid bit on rnews:

        chown news rnews
        chgrp news rnews
        chmod 0550 rnews

A fuller description can be found at

        http://www.isc.org/view.cgi?products/INN/inn2.2.vulnerability.phtml

The latest INN version 2.2.1

        ftp://ftp.isc.org/isc/inn/inn-2.2.1.tar.gz

has the buffer overflow problem fixed. Upgrading is recommended,
if you cannot disable the inews setgid bit.

James
--
James Brister                                            brister@vix.com
Internet Software Consortium
(4257916) -----------------------------------