Debian Security Advisory

INN -- Buffer overflow in INN inews program

Date Reported:

07 Sep 1999

Affected Packages:

inewsinn
inn-dev
inn

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-1999-0705.

More information:

We have a report covering a buffer overflow in the inews program as provided by the INN news server. This program is used by local clients to inject news articles to the server. In order to be able to connect to the news server through a Unix domain socket it needs to run setgid "news". By exploiting this bug local users can gain "news" privileges. After that they are able to modify the configuration for the INN server as well as destroy News databases and files. We recommend upgrading your inews-inn package immediately.

Fixed in:

Source:: http://security.debian.org/dists/slink/updates/source/inn_1.7.2-4.1.diff.gz; http://security.debian.org/dists/slink/updates/source/inn_1.7.2-4.1.dsc; http://security.debian.org/dists/slink/updates/source/inn_1.7.2.orig.tar.gz
i386:: http://security.debian.org/dists/slink/updates/binary-i386/inewsinn_1.7.2-4.1_i386.deb; http://security.debian.org/dists/slink/updates/binary-i386/inn-dev_1.7.2-4.1_i386.deb; http://security.debian.org/dists/slink/updates/binary-i386/inn_1.7.2-4.1_i386.deb
m68k:: http://security.debian.org/dists/slink/updates/binary-m68k/inewsinn_1.7.2-4.1_m68k.deb; http://security.debian.org/dists/slink/updates/binary-m68k/inn-dev_1.7.2-4.1_m68k.deb; http://security.debian.org/dists/slink/updates/binary-m68k/inn_1.7.2-4.1_m68k.deb
sparc:: http://security.debian.org/dists/slink/updates/binary-sparc/inewsinn_1.7.2-4.1_sparc.deb; http://security.debian.org/dists/slink/updates/binary-sparc/inn-dev_1.7.2-4.1_sparc.deb; http://security.debian.org/dists/slink/updates/binary-sparc/inn_1.7.2-4.1_sparc.deb