The purpose of this email is twofold: 1) to inform you of a reported vulnerability involving one of your products, and 2) to obtain confirmation/clarification and knowledge of any measures taken to address this in the event it is viable. Below is the report (snipped): --- Begin report --- RedHat Linux (and possibly other distributions) ship with a file backup utility called 'dump'. Dump is installed in /sbin and is setuid and setgid root. When passed an oversized argument to the "-f a" parameters, dump will crash due to the stack being overrun by the excessive data. If this argument is crafted properly, it is be possible to replace the EIP (instruction pointer or return address) on the stack and execute arbitrary code with the permissions of the process (gid of root). Dump drops setuid priviliges, but does not drop setgid. As a result, it may be possible to exploit this vulnerability and gain setgid root priviliges, which can lead to a complete system compromise Workaround: A work-around is to remove the setuid and setgid permissions from the file. Reported by KimYongJun <s96192.ac.kr> in his post to BugTraq on February 28, 2000. --- End report --- An explanation of my query - I work for Infrastructure Defense, Inc., which provides private publications to fortune 500 companies about information/computer security trends, vulnerabilities, etc. I strive to contact the appropriate parties whenever there is a question as to the veracity of a post, claim, other. Hence, my email to you. I hope to hear from you soon.
As the official dump maintainer, I confirm that all versions of dump prior and including 0.4b14 has the problem you described (although no known exploits have been reported). This was fixed in 0.4b15, released today, available from dump home page (http://dump.sourceforge.net). I am sure that the people at RedHat will package and ship this latest version in the upcoming RedHat 6.2. Stelian.
This is also a problem in RH 6.1, 6.2beta, and Rawhide. I hope to see an update from RH soon!
Fixed in dump-0.4b19-5.