lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040419185040.18774.qmail@updates.mandrakesoft.com>
Date: 19 Apr 2004 18:50:40 -0000
From: Mandrake Linux Security Team <security@...ux-mandrake.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2004:031 - Updated utempter packages fix several vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           utempter
 Advisory ID:            MDKSA-2004:031
 Date:                   April 19th, 2004

 Affected versions:	 10.0, 9.1, 9.2, Corporate Server 2.1,
			 Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 Steve Grubb discovered two potential issues in the utempter program:
 
 1) If the path to the device contained /../ or /./ or //, the                 
 program was not exiting as it should. It would be possible to use something 
 like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked 
 to another important file, programs that have root privileges that do no 
 further validation can then overwrite whatever the symlink pointed to.
                                                                                
 2) Several calls to strncpy without a manual termination of the string.
 This would most likely crash utempter.
 
 The updated packages are patched to correct these problems.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0233
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 e5458d8e68dd55b2dcface9f2ead71cd  10.0/RPMS/libutempter0-0.5.2-12.1.100mdk.i586.rpm
 366d48de884799751c7110f84d835cc0  10.0/RPMS/libutempter0-devel-0.5.2-12.1.100mdk.i586.rpm
 6eabf21bdf9d7eba1a86fac4589e5714  10.0/RPMS/utempter-0.5.2-12.1.100mdk.i586.rpm
 52a5e2fa807981cba7156213684bb9ce  10.0/SRPMS/utempter-0.5.2-12.1.100mdk.src.rpm

 Corporate Server 2.1:
 c16478b61d52db976f712b5817bbf167  corporate/2.1/RPMS/libutempter0-0.5.2-11.1.C21mdk.i586.rpm
 7f74bd805709457dfb71a3bdc91f2577  corporate/2.1/RPMS/libutempter0-devel-0.5.2-11.1.C21mdk.i586.rpm
 eb25144f12a1d93d7d9634964a1d7bbd  corporate/2.1/RPMS/utempter-0.5.2-11.1.C21mdk.i586.rpm
 ef9fe684449e0faaf59be81ed63df284  corporate/2.1/SRPMS/utempter-0.5.2-11.1.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 284d5f6f9bded143a8d26c8062eb9e70  x86_64/corporate/2.1/RPMS/libutempter0-0.5.2-11.1.C21mdk.x86_64.rpm
 62ada7f5235b513c978dc8eea2184b8b  x86_64/corporate/2.1/RPMS/libutempter0-devel-0.5.2-11.1.C21mdk.x86_64.rpm
 8755f9214bb5412a204b24e6cce68ab5  x86_64/corporate/2.1/RPMS/utempter-0.5.2-11.1.C21mdk.x86_64.rpm
 ef9fe684449e0faaf59be81ed63df284  x86_64/corporate/2.1/SRPMS/utempter-0.5.2-11.1.C21mdk.src.rpm

 Mandrakelinux 9.1:
 ff42f22d509bf90dc87c29acf970548b  9.1/RPMS/libutempter0-0.5.2-10.1.91mdk.i586.rpm
 7f100656a81b88e2ddc0f1a3ffd6cc1d  9.1/RPMS/libutempter0-devel-0.5.2-10.1.91mdk.i586.rpm
 ae56735580eaff60027404a27843b28f  9.1/RPMS/utempter-0.5.2-10.1.91mdk.i586.rpm
 1f308d636a246978a66f79802467e09b  9.1/SRPMS/utempter-0.5.2-10.1.91mdk.src.rpm

 Mandrakelinux 9.1/PPC:
 1c72b8d5bf1e88e267fdd818094f1d52  ppc/9.1/RPMS/libutempter0-0.5.2-10.1.91mdk.ppc.rpm
 45e56e24d73c0744460908206164bad6  ppc/9.1/RPMS/libutempter0-devel-0.5.2-10.1.91mdk.ppc.rpm
 218199c662a394416a5b37ce95fe69fe  ppc/9.1/RPMS/utempter-0.5.2-10.1.91mdk.ppc.rpm
 1f308d636a246978a66f79802467e09b  ppc/9.1/SRPMS/utempter-0.5.2-10.1.91mdk.src.rpm

 Mandrakelinux 9.2:
 90522a1350a48e3527ac5d62e9f42d02  9.2/RPMS/libutempter0-0.5.2-12.1.92mdk.i586.rpm
 93cc7f6b06e932fb669cf4f6e76d219f  9.2/RPMS/libutempter0-devel-0.5.2-12.1.92mdk.i586.rpm
 9295f7ce85188523ef2ddf02e2137d4b  9.2/RPMS/utempter-0.5.2-12.1.92mdk.i586.rpm
 6bcb323d7d50949a1b4f8bae5bd84fd6  9.2/SRPMS/utempter-0.5.2-12.1.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 92b815911cfc95b1fe982b1e6d34fbe9  amd64/9.2/RPMS/lib64utempter0-0.5.2-12.1.92mdk.amd64.rpm
 7e5c27d4817e8bd1cb661baf4fa2098d  amd64/9.2/RPMS/lib64utempter0-devel-0.5.2-12.1.92mdk.amd64.rpm
 d83101f51887fa4576ba70bd44dc96d4  amd64/9.2/RPMS/utempter-0.5.2-12.1.92mdk.amd64.rpm
 6bcb323d7d50949a1b4f8bae5bd84fd6  amd64/9.2/SRPMS/utempter-0.5.2-12.1.92mdk.src.rpm

 Multi Network Firewall 8.2:
 4a73fd406115139f44a96595d7a7d636  mnf8.2/RPMS/libutempter0-0.5.2-5.1.M82mdk.i586.rpm
 4ec3be7ee3b1afc20cee08edd699d88c  mnf8.2/RPMS/libutempter0-devel-0.5.2-5.1.M82mdk.i586.rpm
 6f88c9436293c120c90877f12d8426a9  mnf8.2/RPMS/utempter-0.5.2-5.1.M82mdk.i586.rpm
 273359b6f93965a0995a6c11cf3a1d77  mnf8.2/SRPMS/utempter-0.5.2-5.1.M82mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

 Please be aware that sometimes it takes the mirrors a few hours to
 update.

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesecure.net/en/advisories/

 Mandrakesoft has several security-related mailing list services that
 anyone can subscribe to.  Information on these lists can be obtained by
 visiting:

  http://www.mandrakesecure.net/en/mlist.php

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAhB+AmqjQ0CJFipgRAph7AKDlya68fexJ14qf1DchzBMhGBA+0gCgsOEM
aRlgv9npCuiEhF7aWN+PaJg=
=5mCk
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ