COMMAND
ypbind (NIS)
SYSTEMS AFFECTED
ypbind (NIS)
PROBLEM
Following is based on a Debian Security Advisory. The version of
nis as distributed in Debian GNU/Linux 2.1 and 2.2 contains an
ypbind package with a security problem.
ypbind is used to request information from a nis server which is
then used by the local machine. The logging code in ypbind was
vulnerable to a printf formating attack which can be exploited by
passing ypbind a carefully crafted request. This way ypbind can
be made to run arbitrary code as root.
SOLUTION
This has been fixed in version 3.5-2.1 for Debian GNU/Linux 2.1
and version 3.8-0.1 for Debian GNU/Linux 2.2:
http://security.debian.org/dists/slink/updates/source/nis_3.5-2.1.diff.gz
http://security.debian.org/dists/slink/updates/source/nis_3.5-2.1.dsc
http://security.debian.org/dists/slink/updates/source/nis_3.5.orig.tar.gz
http://security.debian.org/dists/slink/updates/binary-i386/nis_3.5-2.1_i386.deb
http://security.debian.org/dists/slink/updates/binary-m68k/nis_3.5-2.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/nis_3.8-0.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/source/nis_3.8-0.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/nis_3.8-0.1.dsc
http://security.debian.org/dists/stable/updates/main/source/nis_3.8.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-arm/nis_3.8-0.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/nis_3.8-0.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/nis_3.8-0.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/nis_3.8-0.1_sparc.deb
For SuSE:
SuSE-7.0: ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/ypclient-3.5-89.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/ypserv-1.3.11-89.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/ypclient-3.5-89.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/ypserv-1.3.11-89.src.rpm
SuSE-6.4: ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/ypclient-3.4-95.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/ypserv-1.3.11-95.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/ypclient-3.4-95.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/ypserv-1.3.11-95.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/ypclient-3.4-95.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/ypserv-1.3.11-95.src.rpm
SuSE-6.3: ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/ypclient-3.4-95.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/ypserv-1.3.11-95.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/ypclient-3.4-95.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/ypserv-1.3.11-95.src.rpm
SuSE-6.2: ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/ypclient-3.4-95.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/ypserv-1.3.11-95.src.rpm
SuSE-6.1 and older: Please see the problem description above.
For RedHat:
ftp://updates.redhat.com/5.2/alpha/ypbind-3.3-10.alpha.rpm
ftp://updates.redhat.com/5.2/sparc/ypbind-3.3-10.sparc.rpm
ftp://updates.redhat.com/5.2/i386/ypbind-3.3-10.i386.rpm
ftp://updates.redhat.com/5.2/SRPMS/ypbind-3.3-10.src.rpm
ftp://updates.redhat.com/6.2/alpha/ypbind-1.7-0.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/sparc/ypbind-1.7-0.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/i386/ypbind-1.7-0.6.x.i386.rpm
ftp://updates.redhat.com/6.2/SRPMS/ypbind-1.7-0.6.x.src.rpm
For Linux-Mandrake:
Linux-Mandrake 6.0: 6.0/RPMS/ypbind-3.3-25mdk.i586.rpm
6.0/RPMS/ypserv-1.3.9-4mdk.i586.rpm
6.0/SRPMS/ypbind-3.3-25mdk.src.rpm
6.0/SRPMS/ypserv-1.3.9-4mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/ypbind-3.3-25mdk.i586.rpm
6.1/RPMS/ypserv-1.3.9-4mdk.i586.rpm
6.1/SRPMS/ypbind-3.3-25mdk.src.rpm
6.1/SRPMS/ypserv-1.3.9-4mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/ypbind-3.3-25mdk.i586.rpm
7.0/RPMS/ypserv-1.3.9-4mdk.i586.rpm
7.0/SRPMS/ypbind-3.3-25mdk.src.rpm
7.0/SRPMS/ypserv-1.3.9-4mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/ypbind-3.3-25mdk.i586.rpm
7.1/RPMS/ypserv-1.3.9-4mdk.i586.rpm
7.1/SRPMS/ypbind-3.3-25mdk.src.rpm
7.1/SRPMS/ypserv-1.3.9-4mdk.src.rpm
Update for Immunix OS 6.2 (StackGuarded versions of the RedHat
packages) they can be found at:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ypbind-1.7-0.6.x_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/ypbind-1.7-0.6.x_StackGuard.src.rpm
For Caldera:
- OpenLinux Desktop 2.3
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/nis-client-2.0-12.i386.rpm
RPMS/nis-server-2.0-12.i386.rpm
SRPMS/nis-2.0-12.src.rpm
- OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/nis-client-2.0-12.i386.rpm
RPMS/nis-server-2.0-12.i386.rpm
SRPMS/nis-2.0-12.src.rpm
- OpenLinux eDesktop 2.4
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/nis-client-2.0-12.i386.rpm
RPMS/nis-server-2.0-12.i386.rpm
SRPMS/nis-2.0-12.src.rpm
Trustix released updated package:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ypbind-3.3-29tr.i586.rpm
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/ypbind-3.3-29tr.i586.rpm