[ SOURCE: http://www.secureroot.com/security/advisories/9641759395.html ]

============================================================================

Security Advisory

Berkeley Software Design, Inc.



Topic:  BSD/OS 2.0/2.0.1 kernel vulnerability

Number: 1996-03-05

Date:   March 5, 1996

Patch:  ftp://ftp.bsdi.com/bsdi/patches/patches-2.0.1/K201-008

=============================================================================





I.   Background    

     

     A bug was found in an unused portion of the ptrace code in

     BSD/OS 2.0 and 2.0.1 that caused a system vulnerability.  The

     bug is not present in the current release, BSD/OS 2.1.  BSDI

     is not aware of anyone who is actively exploiting this bug.



     All BSDI customers with current support contracts were mailed

     floppies containing the patch for this problem.  Customers

     without current support contracts can and should download the

     patch from the ftp server.





II.  Problem Description



     Permssion checking for an unused operation was incorrect.





III. Impact



     The problem could allow local users to control privileged

     processes, and could thus allow users to acquire unauthorized

     permissions.



     This vulnerability can only be exploited by users with a valid

     account on the local system.





IV. Solution(s)



     Install BSDI patch K201-008 on all BSD/OS 2.0 or 2.0.1 systems,

     or upgrade to BSD/OS 2.1.





=============================================================================

Berkeley Software Design, Inc.

5579 Tech Center Drive, Suite 110

Colorado Springs, CO 80919



Web Site:       http://www.bsdi.com/

BSDI Support:   +1 800 ITS BSD8  /  +1 719 536 9346

Support Email:  support@bsdi.com

PGP Key:        ftp://ftp.bsdi.com/bsdi/info/pgp_key