Linux News
The world is talking about GNU/Linux and Free/Open Source Software

Login

If you don't have an account yet, visit the registration page to sign up.

If you already have an account, you may login here:

Today's Big Story

Zed: A Next-Gen Rust-Based Open Source Code Editor With AI

LXer Features

Linux That's Small

Encryption, Trust, and the Hidden Dangers of Vendor-Controlled Data

My Linux Mint Tribute

How I Turned My Chromebook Into A "Mintbook"

Adventures With My New Chromebook

My Linux Laptop

Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

Publish it here.

DaniWeb Linux Community
An exciting professional discussion group about software development, php, shell scripting, networking, ruby, and more.

Latest Discussions

See Activation Cube feature on Fedora 41 KDE Spin in VENV

You don't need AI to know how this goes

Should be a SNL skit

Please add https to lxer.com

Anyone remember Distrotest.net? I found a new one!

Site Menu

Other News

- LWN.net
Their weekly coverage of Linux news is unmatched in this community.

- LinuxGizmos.com
Excellent news for embedded Linux.

- LinuxQuestions.org
Discussion forums for Linux users.

LinuxQuestions.org is a friendly and active Linux Community with forums, reviews, a hardware compatibility list, a wiki, tutorials, a download site, a podcast and more.

Debian alert: New calife packages fix buffer overflow

Posted by dave on Mar 11, 2004 8:14 AM EDT
Mailing list

Mail this story
Print this story

Calife, a program which provides super user privileges to specific users, was found to contain a buffer overflow related to the getpass(3) library function. A local attacker could potentially exploit this vulnerability, given knowledge of a local user's password and the presence of at least one entry in /etc/calife.auth, to execute arbitrary code with root privileges.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- -------------------------------------------------------------------------- Debian Security Advisory DSA 461-1 [e-mail:security@debian.org] http://www.debian.org/security/ Matt Zimmerman March 11th, 2004 http://www.debian.org/security/faq - --------------------------------------------------------------------------

Package : calife Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE Ids : CAN-2004-0188 Debian bug : 235157

Calife, a program which provides super user privileges to specific users, was found to contain a buffer overflow related to the getpass(3) library function. A local attacker could potentially exploit this vulnerability, given knowledge of a local user's password and the presence of at least one entry in /etc/calife.auth, to execute arbitrary code with root privileges.

For the current stable distribution (woody) this problem has been fixed in version 2.8.4c-1woody1.

For the unstable distribution (sid) this problem has been fixed in version 2.8.6-1.

We recommend that you update your calife package.

Upgrade Instructions - --------------------

wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update will update the internal database apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1.dsc Size/MD5 checksum: 573 8def6850642ea48816f119986071c08c http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1.diff.gz Size/MD5 checksum: 5929 787f026768175eedd4faa087468bf07e http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c.orig.tar.gz Size/MD5 checksum: 67628 c78ff2bc3d3d42903d12b54e841a400f

Alpha architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_alpha.deb Size/MD5 checksum: 24528 1f19f26e3739df4767249dc5f46dbde7

ARM architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_arm.deb Size/MD5 checksum: 22086 fb858512bda4128cb6a7c5d73d3c7043

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_i386.deb Size/MD5 checksum: 22446 03096dc8a5bd5b020fa6e6d27591d780

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_ia64.deb Size/MD5 checksum: 26084 b77f33b501c0402c6882922431161ba3

HP Precision architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_hppa.deb Size/MD5 checksum: 22922 620682272cbacd5dae78f2842555265c

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_m68k.deb Size/MD5 checksum: 22208 7f904162126847bd6cdedb536321841f

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_mips.deb Size/MD5 checksum: 22658 2b6f0cf00246471330f2297fd747d63b

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_mipsel.deb Size/MD5 checksum: 22614 a5228887a678ff52d1a68e03df4d7f56

PowerPC architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_powerpc.deb Size/MD5 checksum: 22698 efaddbb63bed475b34ed5188b06cf8b5

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_s390.deb Size/MD5 checksum: 22928 5020310cf3c4800fde1f0a26b0ac0f3d

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/c/calife/calife_2.8.4c-1woody1_sparc.deb Size/MD5 checksum: 24936 75c41bd8275d8be77d289ae4aaaea0d8

These files will probably be moved into the stable distribution on its next revision.

- --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [e-mail:debian-security-announce@lists.debian.org] Package info: 'apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAUJj6ArxCt0PiXR4RAhDPAKDEuQErvs77AfrSpWGqBbk2qgUoLwCfYPGD DXmuRxqgT7TfE2T0krFyeBE= =PwgL -----END PGP SIGNATURE-----

-- To UNSUBSCRIBE, email to [e-mail:debian-security-announce-request@lists.debian.org] with a subject of "unsubscribe". Trouble? Contact [e-mail:listmaster@lists.debian.org]

Linux NewsThe world is talking about GNU/Linux and Free/Open Source Software