[561] in linux-security and linux-alert archive
CORRECTED(!) Linux Security FAQ Update#10: fvwm vulnerability
daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Fri Jan 12 15:02:23 1996
Date: Fri, 12 Jan 1996 01:10:19 -0500 (EST)
From: "Alexander O. Yuriev" <alex@bach.cis.temple.edu>
To: Linux Security Mailing List <linux-security@tarsier.cv.nrao.edu>,
linux-alert@tarsier.cv.nrao.edu
cc: Linux Announce Submit <linux-announce@stc06.ctd.ornl.gov>
-----BEGIN PGP SIGNED MESSAGE-----
[ LINUX SECURITY FAQ UPDATES ADMIN INFORMARION ]
1. The Linux Security FAQ Update #10 released on Jan 11, 1996 is
hereby REVOKED. Please disregard information in the Linux
Security FAQ Update#10 released on Jan 11, 1996
2. The Linux Security FAQ Update #10 released on Jan 12, 1996 is
hereby made an OFFICIAL Linux Security FAQ Update#10 regarding
the fvwm vulnerability.
This is corrected LSF Update#10. In the version of LSF Update#10 dated
January 11, 1996, and signed with a key "1024/ADF3EE95 1995/06/08 Linux
Security FAQ Primary Key <Alexander O. Yuriev>" an error was made in the
"Other Distributions" section. Unfortunatly, no one noticed that error prior
to the Update being released.
-- Alexander O. Yuriev (alex@bach.cis.temple.edu)
- -----BEGIN PGP SIGNED MESSAGE-----
Linux Security FAQ Update
Vulnerability of FVWM
January 12, 1996 00:46:37 EST
Copyright (C) 1995-96 Alexander O. Yuriev (alex@bach.cis.temple.edu)
CIS Laboratories
TEMPLE UNIVERSITY
U.S.A.
=============================================================================
This is an official update of the Linux security FAQ, and it is supposed to
be signed by one of the following PGP keys:
1024/9ED505C5 1995/12/06 Jeffrey A. Uphoff <juphoff@nrao.edu>
Jeffrey A. Uphoff <jeff.uphoff@linux.org>
1024/EFE347AD 1995/02/17 Olaf Kirch <okir@monad.swb.de>
1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <Alexander O. Yuriev>
Unless you are able to verify at least one of signatures, please be very
careful when following instructions.
Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security
linux-security & linux-alert mailing list archives:
ftp://linux.nrao.edu/pub/linux/security/list-archive
=============================================================================
ABSTRACT
A vulnerability exists in the FVWM version 1.24 and versions prior
to that. This vulnerability allows intruders to execute programs
as users other than themselves. Under certain circumstances if root
uses fvwm, a compromise of a root account is possible. This Linux
Security FAQ Update provides information about ways to fix this
hole.
RISK ASSESSMENT
In certain situations local users can execute commands under
different UID. Root compromise is possible only if root account
is used to run fvwm, which is not advisable.
SOLUTION TO THE PROBLEM
The successful attack against fvwm exploits a race condition that
occurs when fvwm performs certain operations. The following
information should allow one to prevent the race condition from
occurring.
1. /tmp directory should be owned by (root:root) with
world-write, world-execute and world-read permissions.
A sticky bit is *required* on this directory.
Use the following set of commands to change your /tmp
directory parameters to conform with the requirements:
chown root.root /tmp (make ownership (root:root))
chmod 777 /tmp (make protection mode 777)
chmod +s /tmp (place a sticky bit on)
2. Install appropriate distribution-specific fix
Red Hat Commercial Linux 2.0 and 2.1
Marc Ewing (marc@redhat.com) provided the following information
about the official Red Hat RPM that fixes the hole. The
RPM for Intel architecture can be obtained from one of the
following URLs:
ftp://ftp.redhat.com/pub/redhat-2.1/i386/updates/RPMS/fvwm-1.24r-5.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat-2.1/fvwm-1.24r-5.i386.rpm
Users of RedHat/AXP should install fvwm for AXP
architecture. It is available from one of the following
URLs:
ftp://ftp.redhat.com/pub/redhat-2.1/axp-beta/updates/RPMS/fvwm-1.24r-5.axp.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat-2.1/fvwm-1.24r-5.axp.rpm
Please verify the MD5 hash of the file prior to installing it.
af4bb44d5f3a390f04c5b0467b00e2a6 fvwm-1.24r-5.i386.rpm
88ae8be7f633192ccbd2f0cb407b7ecc fvwm-1.24r-5.axp.rpm
Caldera Network Desktop
Preview II users should follow the instructions for Red Hat
Commercial Linux 2.0 and 2.1 to install updated RPM
Debian/GNU Linux
Ian Murdock (imurdock@debian.org) provided the following
information about the official fvwm replacement for the
Debian/GNU Linux. The replacement can be obtained from
one of the following URLs:
ftp://ftp.debian.org/debian/debian-0.93/binary/x11/fvwm-1.24r-10.deb
ftp://bach.cis.temple.edu/Linux/Security/DISTRIBUTION-FIXES/Debian/fvwm-1.24r-10.deb
Please verify the MD5 hash of the file prior to installing it.
05958bb6eff51df2b933c268544c6541 fvwm-1.24r-10.deb
Slackware
All Slackware Linux distributions, including Slackware 3.0
use vulnerable fvwm. The maintainer of Slackware 3.0, Patrick
J. Volkerding, did acknowledge the problem and but did not
have Slackware specific patch on Jan 11, 1996.
It is recommended that until the Slackware 3.0 package
that fixes this fvwm hole becomes available, users of
Slackware should follow instructions in the "Other
Distributions" section.
Yggdrasil
All distributions of Yggdrasil Plus & Play Linux are
believed to be vulnerable. Yggdrasil Inc, neither acknowledged
the problem nor provided any information from which it could
be concluded that their distributions are not vulnerable.
It is recommended that even if Yggdrasil Inc, does not
acknowledge the existence of this problem, users of Yggdrasil
distributions should follow the instructions in the "Other
Distributions" section.
Other Distributions
If there is no distribution specific package that fixes the
fvwm security hole available at this time, it is
recommended that either use of the fvwm should be
discontinued, or a fixed version of fvwm used to create
Debian/GNU Linux package should be installed.
The source code of it is available from one of the following
URLs:
ftp://ftp.debian.org/debian/debian-0.93/source/x11/fvwm-1.24r-10.tar.gz
ftp://bach.cis.temple.edu/pub/Linux/Security/fvwm-1.24r-10.tar.gz
Please verify the MD5 hash of the file prior to using it.
4bf102e2451ab7ae4fbc42712b3b79c2 fvwm-1.24r-10.tar.gz
CREDITS
This LSF Update is based on the information provided by
Winfried Truemper (truemper@MI.Uni-Koeln.DE),
Marc Ewing (marc@redhat.com),
Olaf Kirch (okir@monad.swb.de),
Ian Murdock (imurdock@debian.org),
Austin Donnelly (and1000@cam.ac.uk) and
Patrick J. Volkerding (volkerdi@ftp.cdrom.com)
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMPX2PoxFUz2t8+6VAQHAvAQAh8OD8BRdwEB+44JxGhYvM95rPXLXfPMr
je0AnkIuW/pHC/k0nZ80vI8/ZvYMfSBbElrijDyM0tL63G2Jkhl3UbQA0fuzmiKc
C3445l5Z82+FYYI7ZdD9mw/aSs5QE82P0VT+XD83eN9laLoG2XwX39Yg1HrOrS7f
RICO+g9Lwgk=
=b41E
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMPX6Np0afeTWLUSJAQEMQwP/Rts1JcREak/OyQSwWCOit1tVNuwyeBIf
gSjmEKoAoWAl0NmkfKHjhKV9Xn06HvjoA18P+P2o82hRbZMIVyQh8LmOtrMv3Aj2
eFCUz5W+fEbgwCjdSHV5St6G2itjZTgc1oQbAmE5vh6RoKjRw85HJDmv834PgMjO
b8/VCDc4qbA=
=sheq
-----END PGP SIGNATURE-----
============================================================================
Alexander O. Yuriev Email: alex@bach.cis.temple.edu
CIS Labs, TEMPLE UNIVERSITY WWW: http://bach.cis.temple.edu/personal/alex
Philadelphia, PA, USA
KeyID: 1024/D62D4489 Key Fingerprint: AE84534377CCC4E2 37B13C4D8CD3D501
Unless otherwise stated, everything above is my personal opinion and not an
opinion of any organisation affiliated with me.
=============================================================================
