Bug 112078
Summary: | CAN-2003-0966 buffer overflow in frm command | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 2.1 | Reporter: | Need Real Name <phr-redhat> | ||||
Component: | elm | Assignee: | Karsten Hopp <karsten> | ||||
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 2.1 | CC: | mjc | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | i686 | ||||||
OS: | Linux | ||||||
URL: | http://www.nightsong.com/phr/spam-crash.txt | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-01-14 14:48:59 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Need Real Name
2003-12-14 03:16:11 UTC
Verified. This is a standard static buffer overflow that could be exploited. Fortunately elm is quite old and is not included in any Red Hat distribution since Red Hat Linux 8.0. I've allocated CVE name CAN-2003-0966 for this issue. I'd like to share this with other Linux distribution vendor security teams in case they still ship elm. Please let me know if this is okay. Created attachment 96552 [details] patch for CAN-2003-0966 Yes of course feel free to notify other vendors, you shouldn't need my permission. Also, as mentioned, I opened a CERT report. The program with the bug is a useful one and if it's really removed from new RH distributions, it'll cause me some nuisance since I'll have to reinstall it when I upgrade to the next version. On the other hand, the many other programs in that suite probably should all be audited, which may not be worth the hassle any more. On a brief investigation the code to implement 'from' in the updated (forked?) Elm-ME looked like it had been completely rewritten to avoid anything relating to a strcpy and fixed sized buffers. However it would seem to me that the functionality of the 'frm' command could be trivially written by a tiny perl or python script. A number of other vendors are affected and some of them want time to look for other issues in frm. I've proposed a public release date of Jan 14th 2004 for this issue. CAN-2003-0966 Affects: 2.1AS 2.1AW CAN-2003-0966 Affects: 7.1 7.2 7.3 (now end of life, won't fix) *** Bug 112356 has been marked as a duplicate of this bug. *** When we update elm we'd like to acknowledge you in the advisory. If you'd like credits please let us know your name. Thanks, name is Paul Rubin. |