SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Fileutils (GNU) Vendors:   GNU [multiple authors]
(Immunix Issues Fix) GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
SecurityTracker Alert ID:  1008067
SecurityTracker URL:  http://securitytracker.com/id/1008067
CVE Reference:   CVE-2003-0853, CVE-2003-0854   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Nov 1 2003
Impact:   Denial of service via local system, Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the GNU/Linux 'ls' utility. A remote user may be able to cause denial of service conditions by exploiting /bin/ls via remote applications, such as wu-ftpd.

Georgi Guninski reported an integer overflow in /bin/ls. Also, applications that invoke /bin/ls may be subject to denial of service attacks, the report said. A remote user may be able to cause an application (such as wu-ftpd) to invoke ls with the '-w' column width option and the '-C' option to consume a large amount of memory for a temporary period of time. The init_column_info() function will potentially allocate much more memory than is needed to display the relevant files. This can reportedly cause temporary denial of service conditions.

As a demonstration exploit of the memory consumption flaw, the following command can be used via wu-ftpd:

ls "-w 1000000 -C"

As a demonstration exploit for the integer overflow flaw, the following local command can be used:

/bin/ls -w 1073741828 -C

The /bin/ls utility is part of the GNU coreutils collection.

The original advisory is available at:

http://www.guninski.com/binls.html

Impact:   A remote user may be able to cause applications using /bin/ls to experience denial of service conditions.
Solution:   Immunix has released a fix.

Package names and locations:

Precompiled binary packages for Immunix 7+ are available at:

http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fileutils-4.0x-3_imnx_3.i386.rpm

A source package for Immunix 7+ can be found at:

http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/fileutils-4.0x-3_imnx_3.src.rpm

Immunix OS 7+ md5sums:

0e1d67ef1cd87d351963a8f85170d1d0 RPMS/fileutils-4.0x-3_imnx_3.i386.rpm
0bed0757cfa529a63a73cd62696dceec SRPMS/fileutils-4.0x-3_imnx_3.src.rpm

Cause:   State error

Message History:   This archive entry is a follow-up to the message listed below.
Oct 22 2003 GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications



 Source Message Contents

Subject:  [Immunix-announce] Immunix Secured OS 7+ fileutils update



--===============99400196000643737==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="r7tUYVWcdYzDJoZW"
Content-Disposition: inline


--r7tUYVWcdYzDJoZW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	fileutils
Affected products:	Immunix OS 7+
Bugs fixed:		CAN-2003-0853 CAN-2003-0854
Date:			Fri Oct 31 2003
Advisory ID:		IMNX-2003-7+-026-01
Author:			Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------

Description:
  Georgi Guninski has discovered an off-by-one error in ls(1)'s columns
  handling code. This provided a providential opportunity to handle the
  exponential memory usage involved in the columnar display; thus, we
  have included a patch from Solar Designer to limit the number of
  columns to 1024, reducing the chance of memory exhaustion and working
  around the off-by-one vulnerability.

  ls(1) is exposed through wu-ftpd, potentially to unauthenticated users.
  If your setup is a chroot wu-ftpd, please replace the copy of ls in
  the chroot with this copy.

  This patch fixes CAN-2003-0853 and CAN-2003-0854. Many thanks to
  Georgi Guninski and Solar Designer for spotting the problem and
  providing the solution.

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fileutils-4.0x-3_im=
nx_3.i386.rpm

  A source package for Immunix 7+ can be found at:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/fileutils-4.0x-3_i=
mnx_3.src.rpm

Immunix OS 7+ md5sums:
  0e1d67ef1cd87d351963a8f85170d1d0  RPMS/fileutils-4.0x-3_imnx_3.i386.rpm
  0bed0757cfa529a63a73cd62696dceec  SRPMS/fileutils-4.0x-3_imnx_3.src.rpm


GPG verification:                                                          =
    =20
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@immunix.com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

--r7tUYVWcdYzDJoZW
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/oxcwn5I6Lxt0VtoRAuAzAJ9qGY66Vs9gOcKEZwcfkgGaTTgI+gCeOuG8
PcNFysAfjmsYp4vJWByNxLg=
=JX9v
-----END PGP SIGNATURE-----

--r7tUYVWcdYzDJoZW--

--===============99400196000643737==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce

--===============99400196000643737==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC