lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0404061503380.28035@qrag.fhfr.qr>
Date: Wed, 7 Apr 2004 03:07:59 +0200 (MEST)
From: Roman Drahtmueller <draht@...e.de>
To: bugtraq@...urityfocus.com, Rene <l0om@...luded.org>
Cc: security@...e.com
Subject: Re: SuSEs YaST Online Update - possible symlink attack


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>  
> possible symlink attack in SuSEs YOU [YaST Online 
> Update] 
>  in SuSE linux you can use YOU to auto update your system.  you can do
> this by YaST or by hand with the command "online_update".  as a normal
> user you can check for updates with the options "-q" or "-k".  By doing
> this "online_update" will do the follwing:  creats a directory in
> /usr/tmp/you-$USER in this direcoty it will creat the files "cookies",
> "quickcheack" and "youservers" (furthermore it creats some directorys-
> nevermind...).  it doesnt check for a allready existing directory called
> "you-$USER" or for files like "cookies"  which may be there.
>  

The problem is present in SUSE Linux 8.2 and 9.0. SUSE Linux releases
before 8.2 are not affected. 
Update packages for YOU will be released within the following days. They
fix the vulnerability by using the user's home directory for storing the
information about possibly pending updates. It should be noted that YOU
(Yast Online Update) needs (of course) to be run as root to be able to not
only check for updates, but to be able to actually install them.

> bye and have a lot of phun 
> 	l0om 

As usual, we appreciate notices about security vulnerabilities at 
security@...e.com, in particular because of lagged mailing lists.
Encryption keys, detailed contact information, statements, announcements,
useful links and other information can be found on the SUSE Security main
website at http://www.suse.de/security/.

Thanks,
Roman Drahtmüller,
SUSE Security.
- -- 
 -                                                                      -
| Roman Drahtmüller      <draht@...e.de> // "You don't need eyes to see, |
  SUSE Linux AG - Security       Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: SUSE Security

iD8DBQFAc1R9nkDjEAAKq6QRAg7zAJ95HPW540RGkkDfNNajspL9JDfDsQCgj2Mn
VjvJ6TllMJKod4+xAgx/reo=
=RgTg
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ