RedHat: userhelper vulnerability
Posted by LinuxSecurity.com Team   
RedHat Linux A security bug was found in userhelper; the bug can be exploited to provide local users with root access.
 
Package usermode, PAM
Synopsis New version of usermode fixes security bug
Advisory ID RHSA-2000:001-03
Issue Date 2000-01-04
Updated on 2000-01-07
Keywords root userhelper pam


1. Topic:
A security bug has been discovered and fixed in the userhelper program.

2000-01-07: usermode-1.17 introduced a bug that caused a segmentation fault in userhelper in some configurations, fixed in usermode-1.18.

2000-01-04: SysVinit package added for Red Hat Linux 6.0 to fix a dependency problem.

2. Problem description:
A security bug was found in userhelper; the bug can be exploited to provide local users with root access.

The bug has been fixed in userhelper-1.17, and pam-0.68-10 has been modified to help prevent similar attacks on other software in the future.

2000-01-04: Red Hat Linux 6.0 users will need to upgrade to SysVinit-2.77-2 to fix a minor dependency issue.

3. Bug IDs fixed: (see bugzilla for more information)

4. Relevant releases/architectures:
Red Hat Linux 6.1, all architectures

5. Obsoleted by:
None

6. Conflicts with:
None

7. RPMs required:

Intel:

ftp://updates.Red Hat.com/6.1/i386/

pam-0.68-10.i386.rpm
usermode-1.18-1.i386.rpm

Alpha:

ftp://updates.Red Hat.com/6.1/alpha

pam-0.68-10.alpha.rpm
usermode-1.18-1.alpha.rpm

SPARC:

ftp://updates.Red Hat.com/6.1/sparc

pam-0.68-10.sparc.rpm
usermode-1.18-1.sparc.rpm

Source:

ftp://updates.Red Hat.com/6.1/SRPMS

pam-0.68-10.src.rpm
usermode-1.18-1.src.rpm

8. Solution:
For each RPM for your particular architecture, run:

rpm -Uvh filename

where filename is the name of the RPM.

9. Verification:


 MD5 sum                           Package Name

 -------------------------------------------------------------------------
bffd4388103fa99265e267eab7ae18c8  i386/pam-0.68-10.i386.rpm
93d5f7c1316d8b926d3a47d87b28b881  i386/usermode-1.18-1.i386.rpm
fed2c2ad4f95829e14727a9dfceaca07  alpha/pam-0.68-10.alpha.rpm
1a79bb403ad6d9de6bd205a901a7daee  alpha/usermode-1.18-1.alpha.rpm
350662253d09b17d0aca4e9c7a511675  sparc/pam-0.68-10.sparc.rpm
068a2d4e465e6c4a33dd1dbdd1a4fa02  sparc/usermode-1.18-1.sparc.rpm
f9ad800f56b7bb05ce595bad824a990d  SRPMS/pam-0.68-10.src.rpm
dfeca4a416f2d9417dcf739599f580fa  SRPMS/usermode-1.18-1.src.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key is available at:
http://www.Red Hat.com/about/contact.html

You can verify each package with the following command: rpm --checksig filename

If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg filename

Note that you need RPM >= 3.0 to check GnuPG keys.

10. References:
Thanks to dildog@l0pht.com for finding this bug.