COMMAND

    userv

SYSTEMS AFFECTED

    userv 1.0.0 and prior

PROBLEM

    Ian Jackson found following.  GNU userv 1.0.0 and earlier versions
    have a vulnerability where under some conditions some local  users
    may be able carry out unauthorised actions, or (unlikely) be  able
    to take control of service user accounts.

    Affected versions of userv  sometimes make an out-of-bounds  array
    reference in the fd swapping algorithm.   The effect of this -  if
    any -  on i386  platforms is  usually to  corrupt the USERV_GROUPS
    and  USERV_GIDS   environment  variables   as  passed   to   child
    processes, replacing one of the groups with a wrong other group.

    This  means  that  service  programs  that  use  those environment
    variables (or other  information provided by  the caller) to  make
    access control  decisions may  be vulnerable  to trickery  by some
    local users.

    On  other  platforms  other  information  relied on in the service
    program may be corrupted.  It  may even be possible to induce  the
    userv subprocess which  later execs the  service program to  crash
    or behave maliciously,  though this latter  is unlikely and  would
    require considerable research to construct an exploit.

    Access control tests carried out in userv's configuration language
    are not affected, as they take  place before the bug happens.   So
    users who do not configure (or have configured for them) any userv
    services are not vulnerable, and  users who are not configured  as
    callers for any userv services cannot exploit the problem.

    The bug also happens well after the userv server has given up  its
    root privilege  and switched  to the  service user,  so unless you
    have  userv  services  provided  by  root  which  can be called by
    untrusted users you are not vulnerable.

SOLUTION

    GNU userv 1.0.1 is now available and fixes holes.  Apply the patch
    below and recompile and reinstall.

    Index: servexec.c
    ===================================================================
    RCS file: /usr/src/CVS/userv/servexec.c,v
    retrieving revision 1.13
    retrieving revision 1.14
    diff -u -r1.13 -r1.14
    --- servexec.c	2000/03/06 18:14:46	1.13
    +++ servexec.c	2000/07/27 00:08:34	1.14
    @@ -266,7 +266,8 @@
         fdarray[fd].holdfd= -1;
       }
       for (fd=0; fd<fdarrayused; fd++) {
    -    if (fdarray[fd].realfd < fdarrayused) fdarray[fdarray[fd].realfd].holdfd= fd;
    +    if (fdarray[fd].realfd < fdarrayused && fdarray[fd].realfd >= 0)
    +      fdarray[fdarray[fd].realfd].holdfd= fd;
       }
       for (fd=0; fd<fdarrayused; fd++) {
         realfd= fdarray[fd].realfd;

    For Debian Linux:

        http://security.debian.org/dists/stable/updates/source/userv_1.0.1.0slink.dsc
        http://security.debian.org/dists/stable/updates/source/userv_1.0.1.0slink.tar.gz
        http://security.debian.org/dists/stable/updates/binary-alpha/userv_1.0.1.0slink_alpha.deb
        http://security.debian.org/dists/stable/updates/binary-i386/userv_1.0.1.0slink_i386.deb
        http://security.debian.org/dists/stable/updates/binary-m68k/userv_1.0.1.0slink_m68k.deb
        http://security.debian.org/dists/stable/updates/binary-sparc/userv_1.0.1.0slink_sparc.deb
        
        http://security.debian.org/dists/potato/updates/main/source/userv_1.0.1.1potato.dsc
        http://security.debian.org/dists/potato/updates/main/source/userv_1.0.1.1potato.tar.gz
        http://security.debian.org/dists/potato/updates/main/binary-alpha/userv_1.0.1.1potato_alpha.deb
        http://security.debian.org/dists/potato/updates/main/binary-i386/userv_1.0.1.1potato_i386.deb
        http://security.debian.org/dists/potato/updates/main/binary-sparc/userv_1.0.1.1potato_sparc.deb