> "SAS software provides the foundation, tools, and > solutions for data analysis, report generation, > and enterprise-wide information delivery." > > The "SAS Job Spawner", sastcpd, contains both a buffer > overflow and a format string vulnerability. > > SAS Support say that these problems were fixed in version > 8.2 of this product, but we are unable to confirm as we > do not have access to this version. This problem appears to be addressed by the following product note: http://www.sas.com/service/techsup/unotes/SN/004/004201.html Some additional information Digital Shadow neglected to include: sastcpd is part of the SAS/Base component. Although I neither work for SAS, nor do I use their product on a regular basis, I'd assume this means the scope of exposure is broad. Additionally, it appears that the objspawn program included with the SAS/Integration Technologies product is also vulnerable to these bugs. objspawn is also a setuid root executable by default. See the above link for more information. Cheers, ellipse
