INN versions 2.2 and earlier have a buffer overflow-related security
condition in the inews program.
inews is a program used to inject new postings into the news system.
It is used by many news reading programs and scripts. The default
installation is with inews setgid to the news group and world
executable. It's possible that exploiting the buffer overflow could
give the attacker news group privileges, which could possibly be
extended to root access.
No case of this being exploited has been shown yet.
If you run a news server with no local readers (i.e. all your
clients are remote) then you can remove the setgid-bit on inews.
chmod 0550 inews
The rnews program, used to feed news via uucp, is setuid to the
uucp user. No buffer overflow problems have been found in rnews,
but if you don't run uucp on your machine, then we recommend
disabling the setuid bit on rnews:
chown news rnews
chgrp news rnews
chmod 0550 rnews
A fuller description can be found at
http://www.isc.org/view.cgi?products/INN/inn2.2.vulnerability.phtml
The latest INN version 2.2.1
ftp://ftp.isc.org/isc/inn/inn-2.2.1.tar.gz
has the buffer overflow problem fixed. Upgrading is recommended,
if you cannot disable the inews setgid bit.
James
--
James Brister bristerat_private
Internet Software Consortium
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:23 PDT