Bug 9899 - Linux dump buffer overflow
Linux dump buffer overflow
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: dump (Show other bugs)
6.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-03-01 14:12 EST by smedina
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-11-01 10:02:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description smedina 2000-03-01 14:12:37 EST
The purpose of this email is twofold: 1) to inform you of a reported
vulnerability involving one of your products, and 2) to obtain
confirmation/clarification and knowledge of any measures taken to address
this in the event it is viable.

Below is the report (snipped):

--- Begin report ---

RedHat Linux (and possibly other distributions) ship with a file backup
utility called 'dump'. Dump is installed in /sbin and is setuid and setgid
root. When passed an oversized argument to the "-f a" parameters, dump
will crash due to the stack being overrun by the excessive data. If this
argument is crafted properly, it is be possible to replace the EIP
(instruction pointer or return address) on the stack and execute arbitrary
code with the permissions of the process (gid of root). Dump drops setuid
priviliges, but does not drop setgid. As a result, it may be possible to
exploit this vulnerability and gain setgid root priviliges, which can lead
to a complete system compromise

Workaround: A work-around is to remove the setuid and setgid permissions
from the file.

Reported by KimYongJun <s96192@ce.hannam.ac.kr> in his post to BugTraq on
February 28, 2000.


--- End report ---


An explanation of my query - I work for Infrastructure Defense, Inc.,
which provides private publications to fortune 500 companies about
information/computer security trends, vulnerabilities, etc. I strive to
contact the appropriate parties whenever there is a question as to the
veracity of a post, claim, other. Hence, my email to you.

I hope to hear from you soon.
Comment 1 Stelian Pop 2000-03-02 08:13:59 EST
As the official dump maintainer, I confirm that all versions of dump prior and
including 0.4b14 has the problem you described (although no known exploits have
been reported).

This was fixed in 0.4b15, released today, available from dump home page
(http://dump.sourceforge.net).

I am sure that the people at RedHat will package and ship this latest
version in the upcoming RedHat 6.2.

Stelian.
Comment 2 Matthew Miller 2000-03-14 08:26:59 EST
This is also a problem in RH 6.1, 6.2beta, and Rawhide. I hope to see an update
from RH soon!
Comment 3 Jeff Johnson 2000-11-01 16:24:47 EST
Fixed in dump-0.4b19-5.

Note You need to log in before you can comment on or make changes to this bug.