Bug 9899

Summary: Linux dump buffer overflow
Product: [Retired] Red Hat Linux Reporter: smedina
Component: dumpAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: mattdm, spop
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-11-01 15:02:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description smedina 2000-03-01 19:12:37 UTC 
The purpose of this email is twofold: 1) to inform you of a reported
vulnerability involving one of your products, and 2) to obtain
confirmation/clarification and knowledge of any measures taken to address
this in the event it is viable.

Below is the report (snipped):

--- Begin report ---

RedHat Linux (and possibly other distributions) ship with a file backup
utility called 'dump'. Dump is installed in /sbin and is setuid and setgid
root. When passed an oversized argument to the "-f a" parameters, dump
will crash due to the stack being overrun by the excessive data. If this
argument is crafted properly, it is be possible to replace the EIP
(instruction pointer or return address) on the stack and execute arbitrary
code with the permissions of the process (gid of root). Dump drops setuid
priviliges, but does not drop setgid. As a result, it may be possible to
exploit this vulnerability and gain setgid root priviliges, which can lead
to a complete system compromise

Workaround: A work-around is to remove the setuid and setgid permissions
from the file.

Reported by KimYongJun <s96192.ac.kr> in his post to BugTraq on
February 28, 2000.


--- End report ---


An explanation of my query - I work for Infrastructure Defense, Inc.,
which provides private publications to fortune 500 companies about
information/computer security trends, vulnerabilities, etc. I strive to
contact the appropriate parties whenever there is a question as to the
veracity of a post, claim, other. Hence, my email to you.

I hope to hear from you soon.
Comment 1 Stelian Pop 2000-03-02 13:13:59 UTC 
As the official dump maintainer, I confirm that all versions of dump prior and
including 0.4b14 has the problem you described (although no known exploits have
been reported).

This was fixed in 0.4b15, released today, available from dump home page
(http://dump.sourceforge.net).

I am sure that the people at RedHat will package and ship this latest
version in the upcoming RedHat 6.2.

Stelian.
Comment 2 Matthew Miller 2000-03-14 13:26:59 UTC 
This is also a problem in RH 6.1, 6.2beta, and Rawhide. I hope to see an update
from RH soon!
Comment 3 Jeff Johnson 2000-11-01 21:24:47 UTC 
Fixed in dump-0.4b19-5.