DSA-139-1 super -- format string vulnerability

Debian Security Advisory

DSA-139-1 super -- format string vulnerability

Date Reported:

01 Aug 2002

Affected Packages:

super

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 5367.
In Mitre's CVE dictionary: CVE-2002-0817.

More information:

GOBBLES found an insecure use of format strings in the super package. The included program super is intended to provide access to certain system users for particular users and programs, similar to the program sudo. Exploiting this format string vulnerability a local user can gain unauthorized root access.

This problem has been fixed in version 3.12.2-2.1 for the old stable distribution (potato), in version 3.16.1-1.1 for the current stable distribution (woody) and in version 3.18.0-3 for the unstable distribution (sid).

We recommend that you upgrade your super package immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1.dsc

http://security.debian.org/pool/updates/main/s/super/super_3.12.2.orig.tar.gz

http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1.diff.gz

Alpha:

http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_alpha.deb

ARM:

http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_arm.deb

Intel ia32:

http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_i386.deb

Motorola 680x0:

http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_m68k.deb

PowerPC:

http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_powerpc.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_sparc.deb

Debian GNU/Linux 3.0 (woody)

Source:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1.dsc

http://security.debian.org/pool/updates/main/s/super/super_3.16.1.orig.tar.gz

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1.diff.gz

Alpha:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_alpha.deb

Intel ia32:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_i386.deb

Intel ia64:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_ia64.deb

HP Precision:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_hppa.deb

Motorola 680x0:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_m68k.deb

Big endian MIPS:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_mips.deb

Little endian MIPS:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_mipsel.deb

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_s390.deb

PowerPC:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_powerpc.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.