(Immunix Issues Fix) GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
|
|
SecurityTracker Alert ID: 1008067 |
|
SecurityTracker URL: http://securitytracker.com/id/1008067
|
|
CVE Reference:
CAN-2003-0853, CAN-2003-0854
(Links to External Site)
|
Updated: Dec 1 2003
|
Original Entry Date: Nov 1 2003
|
Impact:
Denial of service via local system, Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in the GNU/Linux 'ls' utility. A remote user may be able to cause denial of service conditions by exploiting /bin/ls via remote applications, such as wu-ftpd.
Georgi Guninski reported an integer overflow in /bin/ls. Also, applications that invoke /bin/ls may be subject to denial of service attacks, the report said. A remote user may be able to cause an application (such as wu-ftpd) to invoke ls with the '-w' column width option and the '-C' option to consume a large amount of memory for a temporary period of time. The init_column_info() function will potentially allocate much more memory than is needed to display the relevant files. This can reportedly cause temporary denial of service conditions.
As a demonstration exploit of the memory consumption flaw, the following command can be used via wu-ftpd:
ls "-w 1000000 -C"
As a demonstration exploit for the integer overflow flaw, the following local command can be used:
/bin/ls -w 1073741828 -C
The /bin/ls utility is part of the GNU coreutils collection.
The original advisory is available at:
http://www.guninski.com/binls.html
|
Impact:
A remote user may be able to cause applications using /bin/ls to experience denial of service conditions.
|
Solution:
Immunix has released a fix.
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fileutils-4.0x-3_imnx_3.i386.rpm
A source package for Immunix 7+ can be found at:
http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/fileutils-4.0x-3_imnx_3.src.rpm
Immunix OS 7+ md5sums:
0e1d67ef1cd87d351963a8f85170d1d0 RPMS/fileutils-4.0x-3_imnx_3.i386.rpm
0bed0757cfa529a63a73cd62696dceec SRPMS/fileutils-4.0x-3_imnx_3.src.rpm
|
Cause:
State error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 31 Oct 2003 18:15:12 -0800
Subject: [Immunix-announce] Immunix Secured OS 7+ fileutils update
|
--===============99400196000643737==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="r7tUYVWcdYzDJoZW"
Content-Disposition: inline
--r7tUYVWcdYzDJoZW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: fileutils
Affected products: Immunix OS 7+
Bugs fixed: CAN-2003-0853 CAN-2003-0854
Date: Fri Oct 31 2003
Advisory ID: IMNX-2003-7+-026-01
Author: Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------
Description:
Georgi Guninski has discovered an off-by-one error in ls(1)'s columns
handling code. This provided a providential opportunity to handle the
exponential memory usage involved in the columnar display; thus, we
have included a patch from Solar Designer to limit the number of
columns to 1024, reducing the chance of memory exhaustion and working
around the off-by-one vulnerability.
ls(1) is exposed through wu-ftpd, potentially to unauthenticated users.
If your setup is a chroot wu-ftpd, please replace the copy of ls in
the chroot with this copy.
This patch fixes CAN-2003-0853 and CAN-2003-0854. Many thanks to
Georgi Guninski and Solar Designer for spotting the problem and
providing the solution.
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fileutils-4.0x-3_im=
nx_3.i386.rpm
A source package for Immunix 7+ can be found at:
http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/fileutils-4.0x-3_i=
mnx_3.src.rpm
Immunix OS 7+ md5sums:
0e1d67ef1cd87d351963a8f85170d1d0 RPMS/fileutils-4.0x-3_imnx_3.i386.rpm
0bed0757cfa529a63a73cd62696dceec SRPMS/fileutils-4.0x-3_imnx_3.src.rpm
GPG verification: =
=20
Our public keys are available at http://download.immunix.org/GPG_KEY
Immunix, Inc., has changed policy with GPG keys. We maintain several
keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
Immunix 7.3 package signing, and 1B7456DA for general security issues.
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@immunix.com.
Immunix attempts to conform to the RFP vulnerability disclosure protocol
http://www.wiretrip.net/rfp/policy.html.
--r7tUYVWcdYzDJoZW
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/oxcwn5I6Lxt0VtoRAuAzAJ9qGY66Vs9gOcKEZwcfkgGaTTgI+gCeOuG8
PcNFysAfjmsYp4vJWByNxLg=
=JX9v
-----END PGP SIGNATURE-----
--r7tUYVWcdYzDJoZW--
--===============99400196000643737==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
--===============99400196000643737==--
|
|
