Red Hat Bugzilla – Bug 9899
Linux dump buffer overflow
Last modified: 2008-05-01 11:37:54 EDT
The purpose of this email is twofold: 1) to inform you of a reported
vulnerability involving one of your products, and 2) to obtain
confirmation/clarification and knowledge of any measures taken to address
this in the event it is viable.
Below is the report (snipped):
--- Begin report ---
RedHat Linux (and possibly other distributions) ship with a file backup
utility called 'dump'. Dump is installed in /sbin and is setuid and setgid
root. When passed an oversized argument to the "-f a" parameters, dump
will crash due to the stack being overrun by the excessive data. If this
argument is crafted properly, it is be possible to replace the EIP
(instruction pointer or return address) on the stack and execute arbitrary
code with the permissions of the process (gid of root). Dump drops setuid
priviliges, but does not drop setgid. As a result, it may be possible to
exploit this vulnerability and gain setgid root priviliges, which can lead
to a complete system compromise
Workaround: A work-around is to remove the setuid and setgid permissions
from the file.
Reported by KimYongJun <firstname.lastname@example.org> in his post to BugTraq on
February 28, 2000.
--- End report ---
An explanation of my query - I work for Infrastructure Defense, Inc.,
which provides private publications to fortune 500 companies about
information/computer security trends, vulnerabilities, etc. I strive to
contact the appropriate parties whenever there is a question as to the
veracity of a post, claim, other. Hence, my email to you.
I hope to hear from you soon.
As the official dump maintainer, I confirm that all versions of dump prior and
including 0.4b14 has the problem you described (although no known exploits have
This was fixed in 0.4b15, released today, available from dump home page
I am sure that the people at RedHat will package and ship this latest
version in the upcoming RedHat 6.2.
This is also a problem in RH 6.1, 6.2beta, and Rawhide. I hope to see an update
from RH soon!
Fixed in dump-0.4b19-5.