Date: Fri, 29 Jun 2001 09:59:31 -0400 (EDT)
From: EnGarde Secure Linux <[email protected]>
To: [email protected], [email protected]Subject: [ESA-20010621-01] xinetd updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory June 21, 2001 |
| http://www.engardelinux.org/ ESA-20010621-01 |
| |
| Package: xinetd |
| Summary: There are various bugs and security issues in the version of |
| xinetd that shipped with EnGarde Secure Linux 1.0.1. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There are bugs (both security and non-security) in xinetd. The
non-security bug causes xinetd to fail after the first connection
attempt and the security bug can potentially lead to a root comprimise
via a buffer overflow.
DETAIL
- ------
The first bug is a non-security one. There were several reports on the
engarde-users mailing list of vsftpd only accepting the first connection
and dropping all subsequent ones. The users had a "Bad address" entry
from xinetd in their logs. Rob Braun explains this problem:
"The specific bug is in libs/src/misc/env.c, in the environment
handling. The grow() function does a realloc() to extend the
existing memory. The memory returned by realloc() is in an undefined
state, and that's what is causing the bad address."
This bug was fixed by upgrading to version 2.1.8.9pre15.
The other bugs are as follows:
1) xinetd was setting its umask to 0. Thus, any children of xinetd
would inherit this umask. This is not much of a security issue
because the only service that is run out of xinetd is vsftpd, which
sets its own umask (027 by default).
2) There was a buffer overflow in the logging code that could
potentially allow a remote attacker to obtain root privileges by
sending a very long username string in response to an ident
request. This bug was found by [email protected].
Both of these bugs were fixed by upgrading to version 2.1.8.9pre16.
Additionally, this version disables ident checking by default in
xinetd.conf. If you would like to disable ident checking completely
(which is recommended), you should remove the "USERID" option from the
"log_on_success" and "log_on_failure" lines of /etc/xinetd.d/ftp.
SOLUTION
- --------
All users should upgrade to the most recent version, as outlined in
this advisory. All updates can be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.ibiblio.org/pub/linux/distributions/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
Once the updated package is installed, you need to restart xinetd:
# /etc/init.d/xinetd restart
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signature of the updated packages, execute the command:
# rpm -Kv <filename>
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/xinetd-2.1.8.9pre16-1.0.17.src.rpm
MD5 Sum: 118787db019ca76f44dc00cdca67c36e
Binary Packages:
i386/xinetd-2.1.8.9pre16-1.0.17.i386.rpm
MD5 Sum: a48c022c82055db97f415f3f18bdefcf
i686/xinetd-2.1.8.9pre16-1.0.17.i686.rpm
MD5 Sum: cc3e2a218918a1ff2c107b68d7cbe8b2
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
xinetd's Official Web Site:
http://www.xinetd.org/
- --------------------------------------------------------------------------
$Id: ESA-20010621-01-xinetd,v 1.2 2001/06/29 13:56:38 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <[email protected]>
Copyright 2001, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7PInLHD5cqd57fu0RAgkGAJ0ReyjI3b+hz9tQBJWFedmkd+u1GgCfcFVh
K2dMdDUDg2TQaPr3sHkRR/E=
=3Xm5
-----END PGP SIGNATURE-----
