Overview

Several Linux/Unix systems ship with a utility package called Taylor UUCP. A component of the UUCP package, uuxqt, fails to properly filter arguments from the commands sent to it. This can allow an intruder to gain elevated privileges and execute commands with the privileges of uucp, usually root.

Description

A component of the UUCP package, uuxqt, is a daemon that executes commands requested by uux either from the local system or from remote systems. Before executing the command, uuxqt is supposed to filter dangerous command arguments. It fails to properly filter command line arguments that are specified in their long format. This can allow an intruder to gain elevated privileges and execute commands.

---

Impact

An intruder can gain elevated privileges and execute commands.

---

Solution

Apply the patches and upgrades provided by your vendor.

---

Vendor Information

798263

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Caldera __ Affected

Updated: September 25, 2001

Status

Affected

Vendor Statement

<http://www.caldera.com/support/security/advisories/CSSA-2001-033.0.txt&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

Conectiva __ Affected

Updated: September 25, 2001

Status

Affected

Vendor Statement

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000425

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

Debian __ Affected

Updated: September 25, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----------------------------------------------------------------------------
Debian Security Advisory DSA 079-1 [email protected]
<http://www.debian.org/security/&gt; Martin Schulze
September 24, 2001
- ----------------------------------------------------------------------------

Package : uucp
Vulnerability : uucp uid/gid access
Problem-Type : local exploit
Debian-specific: no

zen-parse has found a problem with Taylor UUCP as distributed with
many GNU/Linux distributions. It was possible to make uux' execute uucp’ with malicious commandline arguments which gives an attacker
access to files owned by uid/gid uucp.

This problem has been fixed in version of 1.06.1-11potato1 for Debian
GNU/Linux 2.2 by using a patch that RedHat has provided.

We recommend that you upgrade your uucp package immediately.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 2.2 alias potato
- ------------------------------------

Source archives:

<http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1-11potato1.diff.gz&gt;
MD5 checksum: 4e2f02a4abd2ce86ffb0e154ef5d162b
<http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1-11potato1.dsc&gt;
MD5 checksum: fd358e7e14f32ffa16cd3f2e6137b05c
<http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1.orig.tar.gz&gt;
MD5 checksum: 390af5277915fcadbeee74d2f3038af9

Alpha architecture:

<http://security.debian.org/dists/stable/updates/main/binary-alpha/uucp_1.06.1-11potato1_alpha.deb&gt;
MD5 checksum: c1ad1038530a5ee1a6fb92fb90be287f

ARM architecture:

<http://security.debian.org/dists/stable/updates/main/binary-arm/uucp_1.06.1-11potato1_arm.deb&gt;
MD5 checksum: 5821d1b6b9bccfa7486183216ffc7dfa

Intel ia32 architecture:

<http://security.debian.org/dists/stable/updates/main/binary-i386/uucp_1.06.1-11potato1_i386.deb&gt;
MD5 checksum: deb9d76651686c2b0a2d51488e3cf0da

Motorola 680x0 architecture:

<http://security.debian.org/dists/stable/updates/main/binary-m68k/uucp_1.06.1-11potato1_m68k.deb&gt;
MD5 checksum: 37f78dceb1e6c3b492246c888a744af7

PowerPC architecture:

<http://security.debian.org/dists/stable/updates/main/binary-powerpc/uucp_1.06.1-11potato1_powerpc.deb&gt;
MD5 checksum: e2a81774e4cd6c1eabbcf1c8fbf2e406

Sun Sparc architecture:

<http://security.debian.org/dists/stable/updates/main/binary-sparc/uucp_1.06.1-11potato1_sparc.deb&gt;
MD5 checksum: 28148692a588b9b0c9b7598d0084fd2a

These files will be moved into the stable distribution on its next
revision.

- ----------------------------------------------------------------------------
For apt-get: deb <http://security.debian.org/&gt; stable/updates main
For dpkg-ftp: <ftp://security.debian.org/debian-security&gt; dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>’ and <http://packages.debian.org/&gt;&lt;pkg&gt;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see <http://www.gnupg.org>

iD8DBQE7ryqnW5ql+IAeqTIRAg85AKC3WjUR7+pcdnNzqJTKYCgAW7JPcgCgoKJz
Eyo1dUud25pN5l8FnvaeCas=
=rFIN
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

FreeBSD __ Affected

Notified: September 24, 2001 Updated: October 09, 2001

Status

Affected

Vendor Statement

<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:62.uucp.asc&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

Hewlett Packard __ Affected

Notified: September 24, 2001 Updated: February 08, 2002

Status

Affected

Vendor Statement

HP Support Information Digests

`===============================================================================
o Security Bulletin Digest Split

The security bulletins digest has been split into multiple digests
based on the operating system (HP-UX, MPE/iX, and HP Secure OS
Software for Linux). You will continue to receive all security
bulletin digests unless you choose to update your subscriptions.
To update your subscriptions, use your browser to access the
IT Resource Center on the World Wide Web at:
<http://www.itresourcecenter.hp.com/>
Under the Maintenance and Support Menu, click on the “more…” link.
Then use the ‘login’ link at the left side of the screen to login
using your IT Resource Center User ID and Password.
Under the notifications section (near the bottom of the page), select
Support Information Digests.
To subscribe or unsubscribe to a specific security bulletin digest,
select or unselect the checkbox beside it. Then click the
“Update Subscriptions” button at the bottom of the page.
o IT Resource Center World Wide Web Service

If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at:
<http://www.itresourcecenter.hp.com/>
Login using your IT Resource Center User ID and Password.
Then select Support Information Digests (located under
Maintenance and Support). You may then unsubscribe from the
appropriate digest.

`

Digest Name: daily HP Secure OS Software for Linux security bulletins digest Created: Wed Jan 23 3:00:08 PST 2002
Table of Contents:
`Document ID Title

---

HPSBTL0201-018 Updated uucp packages available
The documents are listed below.

`

Document ID: HPSBTL0201-018 Date Loaded: 20020122 Title: Updated uucp packages available
TEXT

`---------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY bulletin: #018
Originally issued: 22 January '02

The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from the
customer’s failure to fully implement instructions in this Security
Bulletin as soon as possible.
Because the vulnerability does not require a HP Secure OS
1.0 patch or re-packaging of the RPM affected by the bulletin, the
RPMs have not been produced or tested by Hewlett-Packard Company.
---------------------------------------------------------------
PROBLEM: Security flaw in the uuxqt utility of the uucp package.
PLATFORM: Any system running HP Secure OS software for Linux Release 1.0
DAMAGE: Local users can gain inappropriate privileges
SOLUTION: Apply the appropriate RPMs (see section B below)
MANUAL ACTIONS: None
AVAILABILITY: The RPMs are available now.

A. Background
Uuxqt is part of a remote command execution facility within
uucp. A flaw exists that allows local users to gain inappropriate
privileges. The uucp package is not included in the default
installation of HP Secure OS Software for Linux release 1.0.
B. Fixing the problem
Hewlett-Packard Company recommends that customers download the RPMs
listed in the following Red Hat Security Advisory:
2002-01-15 uucp (RHSA-2001-165) The uuxqt utility can be used to
execute arbitrary commands as uucp.uucp
<http://www.redhat.com/support/errata/RHSA-2001-165.html>
`

To install the security bulletin RPMs, use the following sequence of commands:
1. If you use the tripwire product, we recommend that you run a a consistency check and fix any violations before installing the security bulletin RPM.
tripwire --check --interactive
2. Install the bulletin RPM from the root account.
rpm -F <bulletin RPM name>
3. Update the tripwire database
tripwire --check --interactive

NOTE: The rpm -q <package name> command can be used to determine if the product is installed. Hewlett-Packard Company recommends applying the Security Bulletin fixes to installed packages only. The -F option to the RPM installer will only apply the fix if the package is currently installed on the system. Dependent RPMs can be found by using the "Find Latest RPMs" search facility at ``<http://www.redhat.com/apps/download>``. To find the latest dependent RPM enter the RPM's name in the "By Keyword" box.

C. To subscribe to automatically receive future HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following:
Use your browser to access the HP IT Resource Center page at:
``<http://itrc.hp.com>``
Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login. Remember to save the User ID assigned to you, and your password. This login provides access to many useful areas of the ITRC.
In the leftmost frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of the page), select "Support Information Digests".
To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link (in the middle column) for the appropriate digest.
D. To report new security vulnerabilities, send email to
[email protected]
Please encrypt any exploit information using the security-alert PGP key, available from your local key server. You may also get the security-alert PGP key by sending a message with a -subject- (not body) of 'get key' (no quotes) to [email protected].
Permission is granted for copying and circulating this bulletin to Hewlett-Packard Company (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes.
` Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.

-----End of Document ID: HPSBTL0201-018--------------------------------------`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

MandrakeSoft __ Affected

Updated: September 25, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

---

Mandrake Linux Security Update Advisory

---

Package name: uucp
Date: September 21st, 2001
Advisory ID: MDKSA-2001:078

Affected versions: 7.1, 7.2, 8.0, Corporate Server 1.0.1

---

Problem Description:

Zen Parse discovered that an argument handling problem that exists in
the uucp package can allow a local attacker to gain access to the uucp
user or group.

---

References:

<http://www.securityfocus.com/archive/1/212892&gt;

---

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command:
rpm --checksig package.rpm
You can get the GPG public key of the Mandrake Linux Security Team at
<http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS&gt;
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.

Linux-Mandrake 7.1:
fa65ca8883349b9be0e6cf7db7dea76b 7.1/RPMS/uucp-1.06.1-14.1mdk.i586.rpm
e28726519e93e1980d40dab2f06483af 7.1/SRPMS/uucp-1.06.1-14.1mdk.src.rpm

Linux-Mandrake 7.2:
63dec090a832b711ff3a05577de6e375 7.2/RPMS/uucp-1.06.1-17.1mdk.i586.rpm
5e0b73597aaf0b0c731919e0e2608e2b 7.2/SRPMS/uucp-1.06.1-17.1mdk.src.rpm

Mandrake Linux 8.0:
1d285f9a496ae17aac3a43faaf93046a 8.0/RPMS/uucp-1.06.1-18.1mdk.i586.rpm
231f4436c3d4ba45190b6f00430a8b0d 8.0/SRPMS/uucp-1.06.1-18.1mdk.src.rpm

Mandrake Linux 8.0 (PPC):
9634b394fe43ab951969ab5088a071f3 ppc/8.0/RPMS/uucp-1.06.1-18.1mdk.ppc.rpm
519859d31a9a04d84d8090a6a4885431 ppc/8.0/SRPMS/uucp-1.06.1-18.1mdk.src.rpm

Corporate Server 1.0.1:
fa65ca8883349b9be0e6cf7db7dea76b 1.0.1/RPMS/uucp-1.06.1-14.1mdk.i586.rpm
e28726519e93e1980d40dab2f06483af 1.0.1/SRPMS/uucp-1.06.1-14.1mdk.src.rpm

---

Bug IDs fixed (see <https://qa.mandrakesoft.com> for more information):

---

To upgrade automatically, use MandrakeUpdate.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with “rpm -Fvh *.rpm”.

You can download the updates directly from one of the mirror sites
listed at:

<http://www.linux-mandrake.com/en/ftp.php3&gt;.

Updated packages are available in the “updates/[ver]/RPMS/” directory.
For example, if you are looking for an updated RPM package for
Mandrake Linux 8.0, look for it in “updates/8.0/RPMS/”. Updated source
RPMs are available as well, but you generally do not need to download
them.

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other security advisories for Mandrake Linux at:

<http://www.linux-mandrake.com/en/security/&gt;

If you want to report vulnerabilities, please contact

[email protected]

---

Mandrake Linux has two security-related mailing list services that
anyone can subscribe to:

[email protected]

Mandrake Linux’s security announcements mailing list. Only
announcements are sent to this list and it is read-only.

[email protected]

Mandrake Linux’s security discussion mailing list. This list is open
to anyone to discuss Mandrake Linux security specifically and Linux
security in general.

To subscribe to either list, send a message to
[email protected]
with “subscribe [listname]” in the body of the message.

To remove yourself from either list, send a message to
[email protected]
with “unsubscribe [listname]” in the body of the message.

To get more information on either list, send a message to
[email protected]
with “info [listname]” in the body of the message.

Optionally, you can use the web interface to subscribe to or unsubscribe
from either list:

<http://www.linux-mandrake.com/en/flists.php3#security&gt;

---

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<[email protected]>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see <http://www.gnupg.org>

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see <http://www.gnupg.org>

iD8DBQE7qtfrmqjQ0CJFipgRAquLAJ46aDf85lnkDX7ZRp8bu3V05MT0qwCgxUvp
TZaGq2U8xKvGNEfQMRLErjc=
=mMTA
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

OpenBSD __ Affected

Updated: September 25, 2001

Status

Affected

Vendor Statement

<http://www.openbsd.org/errata.html#uucp&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

Red Hat __ Affected

Notified: September 25, 2001 Updated: January 18, 2002

Status

Affected

Vendor Statement

<http://www.redhat.com/support/errata/RHSA-2001-165.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

SuSE __ Affected

Updated: January 17, 2002

Status

Affected

Vendor Statement

<http://www.suse.de/de/support/security/2001_038_uucp_txt.txt&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

Apple __ Not Affected

Updated: September 26, 2001

Status

Not Affected

Vendor Statement

Mac OS X is not vulnerable to the UUCP problems described in this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

IBM Not Affected

Notified: September 25, 2001 Updated: January 17, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23798263 Feedback>).

View all 11 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/3312&gt;
• <http://www.redhat.com/support/errata/RHSA-2001-165.html&gt;
• <http://www.suse.de/de/support/security/2001_038_uucp_txt.txt&gt;
• <http://www.caldera.com/support/security/advisories/CSSA-2001-033.0.txt&gt;
• <http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-078.php3?dis=8.0&gt;
• http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000425
• <http://archives.neohapsis.com/archives/bugtraq/2001-09/0053.html&gt;

Acknowledgements

This vulnerability was discovered by zen-parse.

This document was written by Jason Rafail.

Other Information

CVE IDs:	CVE-2001-0873
Severity Metric:	21.38 Date Public: