home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Linux Cubed Series 7: Sunsite
/
Linux Cubed Series 7 - Sunsite Vol 1.iso
/
system
/
admin
/
shadow-9.ann
< prev
next >
Wrap
PGP Signed Message
|
1996-11-17
|
4KB
|
88 lines
-----BEGIN PGP SIGNED MESSAGE-----
Probably all versions of the Shadow Password Suite, as used on many
Linux systems, have a serious security hole in the login program. It
is possible to overwrite the stack by entering a long user name at
the login prompt. This potentially allows remote users to gain root
privileges. No prior access to the vulnerable system is necessary.
Enclosed is a small patch to fix this bug. The complete package with
this patch already applied is available from the primary site:
ftp://ftp.ists.pwr.wroc.pl/pub/linux/shadow/shadow-960129.tar.gz
and should soon be available from the mirror sites:
ftp://ftp.icm.edu.pl/pub/Linux/shadow/
ftp://iguana.hut.fi/pub/linux/shadow/
ftp://ftp.cin.net/usr/ggallag/shadow/
ftp://ftp.netural.com/pub/linux/shadow/
Please verify the MD5 checksum before installation.
45dd0995bb27ca4fd4dd4c866a15e095 shadow-960129.tar.gz
Please upgrade to this release immediately. Be careful, this is still
BETA software. I don't know how many bugs like this still remain :-(.
How this bug could go unnoticed for so many years is beyond me...
Regards,
Marek Michalkiewicz
marekm@i17linuxb.ists.pwr.wroc.pl
begin 644 shadow-951218-960129.diff.gz
M'XL(`)E.##$"`WU6:V_;-A3];/V*.PQH[,AV+*=)&F<%DJX.YJ$IACK!@#U0
MT!)E<Y9(0:3BJ.B/W[FDW=E96R1V;)+W<<X]/$JF\IP&3?V>[$ID9C.X/$O&
MR:N3#].;MW?3X>WLP_S^R];Y*!E?'FQ%@\'@.Y&=^U5#OPI-E-`HF8Q&^*7D
M\F(4Q7'\G;2=.Z-]W/B21F>3T]/)2XZ[/(^NKVDPZH\H3OKCEW1]'<7W*V4)
MOS@M2UDOI4Y;6C1+RM43U;*0PDHR.;F5W%:D2EB[,75&ME%.1G%N:GJG=/,T
M)+HSUE%7Y:2-(U$4/:IJ^:A,8^E1UE89;4,VE*Q$NA9+).@*1US(37:@3H>G
MPZ2_^U:N^X<L]6@E'B4)LK+FW%%L9=K4RK4H9Q:%+$EIWW)AEOB$Q64MRCYM
M5BI=466<U$ZAO99*L98@P$5Q9:Q5B"7&4\L2AZA!`4O.T%(@36T`JJK5HRKD
M4MIA%$?Q5#OTH)>HA#<^3UJ42`E,!PV4E:-4X(`%O7F.<P:,U(U&FE_`JL*V
M:8J,EH8:#?I4*C/?BS7H4K?42E'[62UD:W1&I1P.?0_WJ&,TP.1HC-*5T$N$
M6J53><@;!_N&ABD-N+T:).*E311KN:%<"M?40$8T<^"82TD-GL$;,H>,C.K+
M4'<*$3J+XMD1AE**3(9^0R.V#[PN3)QU]4]CF0A]Y&@C`!KHD+'U$XUB7V\!
M80"`01CCUV"G6X4Z/H07N0LMG]RN@YYG8I93:QH"J\0=/-?><^GUF77%*%)3
MEE)G$B@P[::"7`##F7!\%PY"K`E_=VH)92DS#&C-K:[P\OB!%G2KM0Q)K%-%
MP<)B*4T&728YM!N@2VV:Y8J<*CV=]/-.MB7+2SY5T!EN)YK><N$@7<RF,&:]
M55L4IR8+T85T$$CHZ&9^\QNI4,M*WF_1$9+:QE8J98;0#*NH-#625-*@Q'YB
MXKQ]_XF/!&@;QK/@^]+HS"<0>FU_8$+NH*HUW>&RB6*MY$:EGZ*XY,7R6B47
M!;O%8JBLL\-J4P\WM4F'51%EW[#3G68/+6^[^A43W>YTYM#!6YE2<D&CB\D8
M%GK./GCV%?_<A>Q;Y\O)V<7D-/G/.L]&_5<4XQT)89Y$Q^$Z=7N4*5L5HK7!
M*!U&(."0^[<_S)NW3>6@)A\^F\\?IA]O9^^F'Z?O;]ZP&*UT@6E_FT^D2T^4
MM8WDO6T5R)2#%S+G880+Z4M$,1WSBWX7M<:$)]M+7O*EPZBV&H.1E2QNZSC^
M83[]\/[F;OIQ/OMCZJ,QMEJDCKVOBSM?-!FKA>M@#7(4CK_KAOT=^#C8ER;_
M-/$:A-%E7`+/B@8Z?/-PB^R'B=V1I62$YQ`H+UL?;UOK9-DC^2C9O\.%6+%)
MU:+E4@7?'BB!O<FC8"]@[_/AI^.]"N#[P)SAN'OV'+R6+7A3^Z<8P@V31?YJ
M_`\X1IJN>_YJ^=L,B[$4FG!LPYC'2411_&,F<Z6?D<J-T0G@J4_2Y%WNH-?W
M5W&'!\%Q1(]&8;)!-/Y4?SO87N2!=8YY\<IK,1E[,4*[_23Q:NPP%]VTHM?\
MA+DZYD^OZ0@_GS_3[MM?[N@JK>(8&3N=*W0\"&$*4:,K13_M1C7`/QTO7D!T
ML*!J15TDZ%UQ^3]5'/^-T\<A3=P!,%X/(O,/YB^3.61A;_J,]WGAP\.'];]9
AWJ.(.^$!U=T_S:UU^!"CI`[\SR]S1%C]%QCB=RR]"0``
`
end
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBMQxT4hS8Z5KBPKcRAQFrPQP+LEAX7nrxQPwLBCqbP4e/T0ZsjjVNxzDi
dzAkStn3w7sm9s1scIjAAuchVJ/+u6Gk1d8IdXjoffuwD8gNWxhWyJIRxx9v7i5U
vCHn+33WtVBYgWWWr+wosR/AzFfhVIXjpAyuqmXSyepwiLZ8ifB1PO5oAljZO0jQ
Zh06dmWXJYw=
=xkY1
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2i
mQCNAi1ZZMkAAAEEAKEhX4FW+wCmgLhDJZ45jV7smfY1yebOoOq4raU/MbMMVKJm
xSdzT924y0xnsWAE8KL6zHzcepyqE/JXSWVzhd2yRfAQgjdYBqgUP0WyqgjCnCCx
thEYij24IN9WVgGV9gHsJfVORuazXXfpidPfC4ft6AN/VqGlnBS8Z5KBPKcRAAUT
tDdNYXJlayBNaWNoYWxraWV3aWN6IDxtYXJla21AaTE3bGludXhiLmlzdHMucHdy
Lndyb2MucGw+tDdNYXJlayBNaWNoYWxraWV3aWN6IDxtYXJla21AaTE3bGludXhh
LmlzdHMucHdyLndyb2MucGw+tDBNYXJlayBNaWNoYWxraWV3aWN6IDxpbmQ0M0Bj
aTN1eC5jaS5wd3Iud3JvYy5wbD4=
=n6D8
-----END PGP PUBLIC KEY BLOCK-----