lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1DOVw9-000145-2j@mercury.mandriva.com>
Date: Thu, 21 Apr 2005 01:17:21 -0600
From: Mandriva Security Team <security@...driva.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2005:077 - Updated cdrecord packages fix vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           cdrecord
 Advisory ID:            MDKSA-2005:077
 Date:                   April 20th, 2005

 Affected versions:	 10.0, 10.1, 10.2, Corporate 3.0,
			 Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 Javier Fernandez-Sanguino Pena discovered that cdrecord created
 temporary files in an insecure manner if DEBUG was enabled in
 /etc/cdrecord/rscsi.  If the default value was used (which stored
 the debug output file in /tmp), a symbolic link attack could be used
 to create or overwrite arbitrary files with the privileges of the
 user invoking cdrecord.  Please note that by default this configuration
 file does not exist in Mandriva Linux so unless you create it and
 enable DEBUG, this does not affect you.
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0866
  http://bugs.debian.org/291376
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 b76b1f88a021c51f2ed0e01e1655cced  10.0/RPMS/cdrecord-2.01-0.a28.3.100mdk.i586.rpm
 647980c29121e4cb656e0786007e6e5c  10.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.100mdk.i586.rpm
 31e3ed2e746db7f53914d063c4cb1ad0  10.0/RPMS/cdrecord-devel-2.01-0.a28.3.100mdk.i586.rpm
 7715dc6d38cf9f89be7ec823ce3ae80a  10.0/RPMS/mkisofs-2.01-0.a28.3.100mdk.i586.rpm
 ba546809bbddf8d3034e19a9eb7b302d  10.0/SRPMS/cdrecord-2.01-0.a28.3.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 1bc7d6c833f4457fd95f17f98d79015a  amd64/10.0/RPMS/cdrecord-2.01-0.a28.3.100mdk.amd64.rpm
 1ddb746abc3a1330b4807a024b3ca9ee  amd64/10.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.100mdk.amd64.rpm
 ddf466f2357364d42486693b4532240f  amd64/10.0/RPMS/cdrecord-devel-2.01-0.a28.3.100mdk.amd64.rpm
 e899df2f7be3e50b0bd59aef795ffa52  amd64/10.0/RPMS/mkisofs-2.01-0.a28.3.100mdk.amd64.rpm
 ba546809bbddf8d3034e19a9eb7b302d  amd64/10.0/SRPMS/cdrecord-2.01-0.a28.3.100mdk.src.rpm

 Mandrakelinux 10.1:
 794bf04c820b0260d0e694f062c905f2  10.1/RPMS/cdrecord-2.01-1.1.101mdk.i586.rpm
 42ec8777385b893d8251599570c36c73  10.1/RPMS/cdrecord-cdda2wav-2.01-1.1.101mdk.i586.rpm
 3d058e44f07c83879278baaa495e8450  10.1/RPMS/cdrecord-devel-2.01-1.1.101mdk.i586.rpm
 e6a9c9c198b54ea22adc0bd7911cffaf  10.1/RPMS/cdrecord-isotools-2.01-1.1.101mdk.i586.rpm
 c1c45207be3fd2ca3aefb58a644bc82a  10.1/RPMS/cdrecord-vanilla-2.01-1.1.101mdk.i586.rpm
 37ab3e2083acb6faa1e7b36afe2165a7  10.1/RPMS/mkisofs-2.01-1.1.101mdk.i586.rpm
 768f4f60b9790fac5b557746c98e3505  10.1/SRPMS/cdrecord-2.01-1.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 e8480e54f0ceb69ad4b24ef8a708a9b9  x86_64/10.1/RPMS/cdrecord-2.01-1.1.101mdk.x86_64.rpm
 6599dacd7cc7f2348afc4b163f958364  x86_64/10.1/RPMS/cdrecord-cdda2wav-2.01-1.1.101mdk.x86_64.rpm
 1701e03afa8804c5c98322a90af10ba5  x86_64/10.1/RPMS/cdrecord-devel-2.01-1.1.101mdk.x86_64.rpm
 2cfb1b7cd36e366f9f869934a580a996  x86_64/10.1/RPMS/cdrecord-isotools-2.01-1.1.101mdk.x86_64.rpm
 77cbb47faa8da69d4757043a50163c97  x86_64/10.1/RPMS/cdrecord-vanilla-2.01-1.1.101mdk.x86_64.rpm
 1ecb8362b876ba63d81bafc0079db541  x86_64/10.1/RPMS/mkisofs-2.01-1.1.101mdk.x86_64.rpm
 768f4f60b9790fac5b557746c98e3505  x86_64/10.1/SRPMS/cdrecord-2.01-1.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 e88cb26c11fa7db8cc0d635dc3f09746  10.2/RPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.i586.rpm
 d581a2787035515872382465d5a0b52d  10.2/RPMS/cdrecord-cdda2wav-2.01.01-0.a01.6.1.102mdk.i586.rpm
 96f46be6665c42b4a24f03cdfecda60f  10.2/RPMS/cdrecord-devel-2.01.01-0.a01.6.1.102mdk.i586.rpm
 a7abba59fdf0e767c2d6029ea681c457  10.2/RPMS/cdrecord-isotools-2.01.01-0.a01.6.1.102mdk.i586.rpm
 51a00a1b64e8ec4ea09b399ebfce1da1  10.2/RPMS/cdrecord-vanilla-2.01.01-0.a01.6.1.102mdk.i586.rpm
 33bab4de7eced57809cb3e88fd4da58c  10.2/RPMS/mkisofs-2.01.01-0.a01.6.1.102mdk.i586.rpm
 f3fb0008491fe53605279f76b218cb8d  10.2/SRPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 15a112f392f250ea82a2bc54bb74f32f  x86_64/10.2/RPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
 7c872b9867899f5b7f4c30c37ca1c4e0  x86_64/10.2/RPMS/cdrecord-cdda2wav-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
 06ebe0c9e9f8c1366d19122d77841270  x86_64/10.2/RPMS/cdrecord-devel-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
 fe2c5214b8e5765326177a606afd8995  x86_64/10.2/RPMS/cdrecord-isotools-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
 3f16d1f23475953132c39e73d5a5eb36  x86_64/10.2/RPMS/cdrecord-vanilla-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
 d41ca3a964192961a8df1ebc51d74b14  x86_64/10.2/RPMS/mkisofs-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
 f3fb0008491fe53605279f76b218cb8d  x86_64/10.2/SRPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.src.rpm

 Corporate Server 2.1:
 41f690bdc4e9ed38a5e07b441dc68e2e  corporate/2.1/RPMS/cdrecord-1.11-0.a32.1.2.C21mdk.i586.rpm
 21fd0a4f61d96d8099bfc7e420078997  corporate/2.1/RPMS/cdrecord-cdda2wav-1.11-0.a32.1.2.C21mdk.i586.rpm
 a88c902c395ab6922bd187bdb89f9f37  corporate/2.1/RPMS/cdrecord-devel-1.11-0.a32.1.2.C21mdk.i586.rpm
 a256764d4fa4206aa252b6abb9826a07  corporate/2.1/RPMS/cdrecord-dvdhack-1.11-0.a32.1.2.C21mdk.i586.rpm
 3afc5d3ae2642fc622ba33a70982f22b  corporate/2.1/RPMS/mkisofs-1.15-0.a32.1.2.C21mdk.i586.rpm
 9d0ad887fde0366818d4efd867a024c3  corporate/2.1/SRPMS/cdrecord-1.11-0.a32.1.2.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 3a2e0f073569f2b3cfebc2048894515a  x86_64/corporate/2.1/RPMS/cdrecord-1.11-0.a32.1.2.C21mdk.x86_64.rpm
 71680076240e7ec0166416eb73e7af7a  x86_64/corporate/2.1/RPMS/cdrecord-cdda2wav-1.11-0.a32.1.2.C21mdk.x86_64.rpm
 7395c0654192b3bc1cf2ba298c82df46  x86_64/corporate/2.1/RPMS/cdrecord-devel-1.11-0.a32.1.2.C21mdk.x86_64.rpm
 9f2de918b15db99cf89e1e6d3c86c24f  x86_64/corporate/2.1/RPMS/cdrecord-dvdhack-1.11-0.a32.1.2.C21mdk.x86_64.rpm
 2644ac211232f9a10aa1519b00f5e364  x86_64/corporate/2.1/RPMS/mkisofs-1.15-0.a32.1.2.C21mdk.x86_64.rpm
 9d0ad887fde0366818d4efd867a024c3  x86_64/corporate/2.1/SRPMS/cdrecord-1.11-0.a32.1.2.C21mdk.src.rpm

 Corporate 3.0:
 3352fc19b054b565996b0322db3ced25  corporate/3.0/RPMS/cdrecord-2.01-0.a28.3.C30mdk.i586.rpm
 46df5e69acd47306efcb732942a0365b  corporate/3.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.C30mdk.i586.rpm
 8addf58eff5059b2f10daab5766db805  corporate/3.0/RPMS/cdrecord-devel-2.01-0.a28.3.C30mdk.i586.rpm
 70c2e71dfaa1f44962a123becf6ec988  corporate/3.0/RPMS/mkisofs-2.01-0.a28.3.C30mdk.i586.rpm
 5f772fbe88aab2ae890b71e46c83976f  corporate/3.0/SRPMS/cdrecord-2.01-0.a28.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 11a0aaf96ba4ea707fdbe421ad0dd9ad  x86_64/corporate/3.0/RPMS/cdrecord-2.01-0.a28.3.C30mdk.x86_64.rpm
 a8ea5673da05ec4bdbbd95e4c85b91e1  x86_64/corporate/3.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.C30mdk.x86_64.rpm
 384896d7b6ad11ad8eafac6db166ef8e  x86_64/corporate/3.0/RPMS/cdrecord-devel-2.01-0.a28.3.C30mdk.x86_64.rpm
 07615c675d0a11b2f4b78db6d2ba2736  x86_64/corporate/3.0/RPMS/mkisofs-2.01-0.a28.3.C30mdk.x86_64.rpm
 5f772fbe88aab2ae890b71e46c83976f  x86_64/corporate/3.0/SRPMS/cdrecord-2.01-0.a28.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCZ1OAmqjQ0CJFipgRAideAJ9YPKcVLcK7lfsggj8X28ELtETxtQCffkye
K2ljRmUOow003gkCohr01X8=
=hGQi
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ