lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1E8QRp-0003mF-Fc@mercury.mandriva.com>
Date: Thu, 25 Aug 2005 16:43:49 -0600
From: Mandriva Security Team <security@...driva.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2005:149 - Updated lm_sensors packages fix temporary file vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           lm_sensors
 Advisory ID:            MDKSA-2005:149
 Date:                   August 25th, 2005

 Affected versions:	 10.0, 10.1, 10.2, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 Javier Fernandez-Sanguino Pena discovered that the pwmconfig script in
 the lm_sensors package created temporary files in an insecure manner.
 This could allow a symlink attack to create or overwrite arbitrary
 files with full root privileges because pwmconfig is typically executed
 by root.
 
 The updated packages have been patched to correct this problem by using
 mktemp to create the temporary files.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2672
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 df10273b9fba09f7c5ce627bb5e36ada  10.0/RPMS/liblm_sensors3-2.8.4-2.1.100mdk.i586.rpm
 9d7b0eb57123bd343c332f7fce076397  10.0/RPMS/liblm_sensors3-devel-2.8.4-2.1.100mdk.i586.rpm
 85abe9679e939b093f1bd7d77e7d7e16  10.0/RPMS/liblm_sensors3-static-devel-2.8.4-2.1.100mdk.i586.rpm
 3212cbd6f8123492b47a33c70f28e67c  10.0/RPMS/lm_sensors-2.8.4-2.1.100mdk.i586.rpm
 fcc02a355b53b9e922ddb26cefe0753a  10.0/SRPMS/lm_sensors-2.8.4-2.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 ec6a4717784b523a0b3359cda0576765  amd64/10.0/RPMS/lib64lm_sensors3-2.8.4-2.1.100mdk.amd64.rpm
 0a72c0a128cacefe91f1f7cc49e5762f  amd64/10.0/RPMS/lib64lm_sensors3-devel-2.8.4-2.1.100mdk.amd64.rpm
 24db3949ab603bfe06066e95fe332673  amd64/10.0/RPMS/lib64lm_sensors3-static-devel-2.8.4-2.1.100mdk.amd64.rpm
 2e514d87df42d4aa351939c4b27e2fe7  amd64/10.0/RPMS/lm_sensors-2.8.4-2.1.100mdk.amd64.rpm
 fcc02a355b53b9e922ddb26cefe0753a  amd64/10.0/SRPMS/lm_sensors-2.8.4-2.1.100mdk.src.rpm

 Mandrakelinux 10.1:
 1c851f52f07dd18fd84e4c47102c656f  10.1/RPMS/liblm_sensors3-2.8.7-7.1.101mdk.i586.rpm
 6802ce70ffab988d04579d009b78d8a7  10.1/RPMS/liblm_sensors3-devel-2.8.7-7.1.101mdk.i586.rpm
 6b59df6a1814d9300b9d590a1ab4008f  10.1/RPMS/liblm_sensors3-static-devel-2.8.7-7.1.101mdk.i586.rpm
 4ab2767ada36c3eb47ec7dff9aae28df  10.1/RPMS/lm_sensors-2.8.7-7.1.101mdk.i586.rpm
 e978ae8f29f593dbf3dbb59eda006db1  10.1/SRPMS/lm_sensors-2.8.7-7.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 965c42926063cd3abee729f3e3b6b850  x86_64/10.1/RPMS/lib64lm_sensors3-2.8.7-7.1.101mdk.x86_64.rpm
 a470b4f7b984c5e17f579abc10edd49f  x86_64/10.1/RPMS/lib64lm_sensors3-devel-2.8.7-7.1.101mdk.x86_64.rpm
 7612338836b497a6bdd3b638120e67ef  x86_64/10.1/RPMS/lib64lm_sensors3-static-devel-2.8.7-7.1.101mdk.x86_64.rpm
 1805b24a8c2f2c09b0f19259f3ebcb58  x86_64/10.1/RPMS/lm_sensors-2.8.7-7.1.101mdk.x86_64.rpm
 e978ae8f29f593dbf3dbb59eda006db1  x86_64/10.1/SRPMS/lm_sensors-2.8.7-7.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 bc0221e163fa223e9f7a7e8b101209eb  10.2/RPMS/liblm_sensors3-2.9.0-4.1.102mdk.i586.rpm
 90d172096a15727c0e9f55f8f6459d14  10.2/RPMS/liblm_sensors3-devel-2.9.0-4.1.102mdk.i586.rpm
 92020d0fafe62fc329dfcc3d1d9ed4e6  10.2/RPMS/liblm_sensors3-static-devel-2.9.0-4.1.102mdk.i586.rpm
 7c67db72576b4e623e8c0adf6f3b49aa  10.2/RPMS/lm_sensors-2.9.0-4.1.102mdk.i586.rpm
 bf68836cfdf5be70f4fac4e5f928c3ae  10.2/SRPMS/lm_sensors-2.9.0-4.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 0588a52c3be2a4327042f0ef762f2677  x86_64/10.2/RPMS/lib64lm_sensors3-2.9.0-4.1.102mdk.x86_64.rpm
 6f101ef435f161d6d2fd2801ea90ade2  x86_64/10.2/RPMS/lib64lm_sensors3-devel-2.9.0-4.1.102mdk.x86_64.rpm
 b1d4d08c90db9fb7a5c889a88e855529  x86_64/10.2/RPMS/lib64lm_sensors3-static-devel-2.9.0-4.1.102mdk.x86_64.rpm
 6c80fec8081da73a246d02be3b361fd5  x86_64/10.2/RPMS/lm_sensors-2.9.0-4.1.102mdk.x86_64.rpm
 bf68836cfdf5be70f4fac4e5f928c3ae  x86_64/10.2/SRPMS/lm_sensors-2.9.0-4.1.102mdk.src.rpm

 Corporate 3.0:
 b992ecee206b158aa13752250f55a239  corporate/3.0/RPMS/liblm_sensors3-2.8.4-2.1.C30mdk.i586.rpm
 1422d8d639631c0d82e7ffdaef8ecfb2  corporate/3.0/RPMS/liblm_sensors3-devel-2.8.4-2.1.C30mdk.i586.rpm
 0c8f7b0c546748c218b6f96c14747b04  corporate/3.0/RPMS/liblm_sensors3-static-devel-2.8.4-2.1.C30mdk.i586.rpm
 900cd7aabecb4af76a1900005f2cc82f  corporate/3.0/RPMS/lm_sensors-2.8.4-2.1.C30mdk.i586.rpm
 42537c2b258f5d5c859e89554b18e670  corporate/3.0/SRPMS/lm_sensors-2.8.4-2.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 5f2ba067df2ffcea7460ecbbed5b9406  x86_64/corporate/3.0/RPMS/lib64lm_sensors3-2.8.4-2.1.C30mdk.x86_64.rpm
 532c570adec5fddf0bc1de218f281113  x86_64/corporate/3.0/RPMS/lib64lm_sensors3-devel-2.8.4-2.1.C30mdk.x86_64.rpm
 6ea29988cd83558f4acea49cc3eaa34f  x86_64/corporate/3.0/RPMS/lib64lm_sensors3-static-devel-2.8.4-2.1.C30mdk.x86_64.rpm
 7a8e60e83b80043606b839119d43d26b  x86_64/corporate/3.0/RPMS/lm_sensors-2.8.4-2.1.C30mdk.x86_64.rpm
 42537c2b258f5d5c859e89554b18e670  x86_64/corporate/3.0/SRPMS/lm_sensors-2.8.4-2.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDDkmlmqjQ0CJFipgRAtgkAKCAM8a41udjZdz8A9aR4LjlFWjpaACfQ6dp
KcIzx0iSnhhIpW4nRbVczuY=
=TYCh
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ