• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: SLRNPull Spool Directory Command Line Parameter Buffer Overflow Vulnerability

Severity: MODERATE

Description:

SLRN is a freely available, open source news reading utility. It is developed and maintained by the SLRN project, and designed for use on various operating systems. This problem affects the UNIX and Linux implementation.

It may be possible for a local user to gain elevated privileges. The problem is in the handling of long directory spool names.

Due to a boundary condition error, a buffer overflow condition exists in spool directory names. This problem affects the slrnpull program, included as part of the slrn package. When slrnpull is executed with the -d flag, and a file name of greater than 4091 bytes, the overflow makes it possible to overwrite process memory, including the return address.

While the default installation of slrnpull is as a non-privileged user from source, some operating systems include slrnpull as a setuid or setgid executable. By including the program with these privileges, a local user could exploit this overflow to execute user-supplied instructions, and gain elevated privileges.

Affected Products:

• Conectiva Linux 4.0.0
• Conectiva Linux 4.0.0 es
• Conectiva Linux 4.1.0
• Conectiva Linux 4.2.0
• Conectiva Linux 5.0.0
• Conectiva Linux 5.1.0
• Conectiva Linux 6.0.0
• Conectiva Linux ecommerce
• Conectiva Linux graficas
• Debian Linux 2.2.0
• Debian Linux 2.2.0 68k
• Debian Linux 2.2.0 alpha
• Debian Linux 2.2.0 arm
• Debian Linux 2.2.0 powerpc
• Debian Linux 2.2.0 sparc
• MandrakeSoft Corporate Server 1.0.1
• MandrakeSoft Linux Mandrake 6.0.0
• MandrakeSoft Linux Mandrake 6.1.0
• MandrakeSoft Linux Mandrake 7.0.0
• MandrakeSoft Linux Mandrake 7.1.0
• MandrakeSoft Linux Mandrake 7.2.0
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• RedHat Linux 7.0.0 alpha
• RedHat Linux 7.0.0 i386
• RedHat Linux 7.0.0 sparc
• SLRN Development Team slrn 0.9.6 .2
• SLRN Development Team slrn 0.9.6 .3
• SLRN Development Team slrn 0.9.6 .4

References:

• slrn: slrn Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.