COMMAND

    bbd (Big Brother)

SYSTEMS AFFECTED

    Big Brother Systems and Network Monitor (All prior to 1.5c2)

PROBLEM

    Andrew Dalgleish   found following.   Vulnerabilities exists  such
    that  arbitrary   commands  can   be  executed   with  the    same
    userid/permissions as the user running bbd.

SOLUTION

    Download and install the latest version from

        http://bb4.com

    or for versions 1.4g to 1.5c1, in bbd.c (add this statement):

        /*** Read this as backquote dollarsign ***/
        /***   semi-colon ampersand vertical_bar ***/
        /***   backslash backslash ***/
        clean_string(msgbuf,"`$;&|\\");

    before this one

        do_bb(msgbuf);

    For versions prior to 1.4g, add this function in bbd.c:

        void clean_string(str,rm_chars)
        char *str;
        char *rm_chars;
        {
        char *tmpstr;
                while( *rm_chars ) {
                        while( tmpstr=(char*)strchr(str,*rm_chars) ) {
                                *tmpstr = ' ';
        
                        }
                        rm_chars++;
                }
        }

    and add this statement

        /*** Read this as backquote dollarsign ***/
        /***   semi-colon ampersand vertical_bar ***/
        /***   backslash backslash ***/
        clean_string(msgbuf,"`$;&|\\");

    before this statement

        do_bb(msgbuf);

    Recompile   bbd   (make)   and   reinstall(make   install).    The
    clean_string(msgbuf,"`$;&|\\");  statement  that  removes  the '&'
    character will disable some  display functionality in BB  but it's
    very minor.   Upgrade to  the latest  version if  you want  a full
    working version.

    Note: BB should not be run as root!