O-048: Debian fsp Buffer Overflow Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

O-048: Debian fsp Buffer Overflow Vulnerability

[Debian Security Advisory DSA-416-1]

 January 8, 2004 22:00 GMT
PROBLEM: Debian announced the discovery of a vulnerability in fsp, client utilities for File Service Protocol (FSP), whereby a remote user could both escape from the FSP root directory (CAN-2003-1022), and also overflow a fixed-length buffer to execute arbitrary code (CAN-2004-0011).
PLATFORM: Debian GNU/Linux 3.0 (woody)
DAMAGE: If successfully exploited, a remote attacker could execute arbitrary code.
SOLUTION: - Update the fsp package
- Update to version 2.81.b3-3.1woody1
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. A remote attacker could execute arbitrary code.
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-048.shtml
  ORIGINAL BULLETIN: http://www.debian.org/security/2004/dsa-416
  CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2003-1022
CAN-2004-0011 
[***** Start Debian Security Advisory DSA-416-1 *****]

Debian Security Advisory
DSA-416-1 fsp -- buffer overflow, directory traversal
Date Reported: 
06 Jan 2004 
Affected Packages: 
fsp 
Vulnerable: 
Yes 
Security database references: 
In Mitre's CVE dictionary: CAN-2003-1022, CAN-2004-0011.

More information: 
A vulnerability was discovered in fsp, client utilities for File Service 
Protocol (FSP), whereby a remote user could both escape from the FSP root 
directory (CAN-2003-1022), and also overflow a fixed-length buffer to 
execute arbitrary code (CAN-2004-0011).

For the current stable distribution (woody) this problem has been fixed 
in version 2.81.b3-3.1woody1.

For the unstable distribution, this problem is fixed in version 2.81.b18-1.

We recommend that you update your fsp package.

Fixed in: 
Debian GNU/Linux 3.0 (woody)

Source: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1.dsc

http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1.diff.gz

http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3.orig.tar.gz

Alpha: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_alpha.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_alpha.deb

ARM: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_arm.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_arm.deb

Intel IA-32: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_i386.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_i386.deb

Intel IA-64: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_ia64.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_ia64.deb

HPPA: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_hppa.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_hppa.deb

Motorola 680x0: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_m68k.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_m68k.deb

Big endian MIPS: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_mips.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_mips.deb

Little endian MIPS: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_mipsel.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_mipsel.deb

PowerPC: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_powerpc.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_powerpc.deb

IBM S/390: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_s390.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_s390.deb

Sun Sparc: 
http://security.debian.org/pool/updates/main/f/fsp/fsp_2.81.b3-3.1woody1_sparc.deb

http://security.debian.org/pool/updates/main/f/fsp/fspd_2.81.b3-3.1woody1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.


----------------------------------------------------------------------------
This page is also available in the following languages: 
Deutsch  español  français  svenska  
How to set the default document language 
----------------------------------------------------------------------------

See the Debian contact page for information on contacting us.

Last Modified: Thu, Jan 8 06:35:52 UTC 2004 
Copyright © 2004 SPI; See license terms
Debian is a registered trademark of Software in the Public Interest, Inc. 


[***** End Debian Security Advisory DSA-416-1 *****]
CIAC wishes to acknowledge the contributions of Debian for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]