lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1ENiaC-0007s6-7D@mercury.mandriva.com>
Date: Thu, 06 Oct 2005 21:07:40 -0600
From: Mandriva Security Team <security@...driva.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2005:175 - Updated texinfo packages fix temporary file vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           texinfo
 Advisory ID:            MDKSA-2005:175
 Date:                   October 6th, 2005

 Affected versions:	 10.1, 10.2, 2006.0, Corporate 3.0,
			 Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 Frank Lichtenheld has discovered that texindex insecurely creates
 temporary files with predictable filenames. This is exploitable if
 a local attacker were to create symbolic links in the temporary files
 directory, pointing to a valid file on the filesystem.   When texindex
 is executed, the file would be overwitten with the rights of the user
 running texindex.
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011
 ______________________________________________________________________

 Updated Packages:
  
 Mandrivalinux 10.1:
 76e53b496b39c7b28f0267a90ba586a8  10.1/RPMS/info-4.7-2.1.101mdk.i586.rpm
 10cd78726493bda942913b5584bcf0ea  10.1/RPMS/info-install-4.7-2.1.101mdk.i586.rpm
 25b0fff505495b5b4b80ffcf113ecb15  10.1/RPMS/texinfo-4.7-2.1.101mdk.i586.rpm
 e47fb813ed54544bd93b6897031b6d2d  10.1/SRPMS/texinfo-4.7-2.1.101mdk.src.rpm

 Mandrivalinux 10.1/X86_64:
 5f47ff5b3e06addb1924f92b8ade046f  x86_64/10.1/RPMS/info-4.7-2.1.101mdk.x86_64.rpm
 66cb5ffb24e9e263cfe2af552b5f2ac1  x86_64/10.1/RPMS/info-install-4.7-2.1.101mdk.x86_64.rpm
 bda2aa2a304be57fa28f2879b85fc9c0  x86_64/10.1/RPMS/texinfo-4.7-2.1.101mdk.x86_64.rpm
 e47fb813ed54544bd93b6897031b6d2d  x86_64/10.1/SRPMS/texinfo-4.7-2.1.101mdk.src.rpm

 Mandrivalinux 10.2:
 da38f9033ba2495d786bbb95bcee6c9f  10.2/RPMS/info-4.8-1.1.102mdk.i586.rpm
 e1dbdf1b7c0ad41fde7bab6cab92be6f  10.2/RPMS/info-install-4.8-1.1.102mdk.i586.rpm
 2b0c6e496d0adfa9b8c486c048c5cd65  10.2/RPMS/texinfo-4.8-1.1.102mdk.i586.rpm
 e018dbb4a415940d5c5062c4cdd01a1f  10.2/SRPMS/texinfo-4.8-1.1.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 9baa45ce2070d15f35062c41a574bf4f  x86_64/10.2/RPMS/info-4.8-1.1.102mdk.x86_64.rpm
 821d86aeae3923411e2667ea8cca3723  x86_64/10.2/RPMS/info-install-4.8-1.1.102mdk.x86_64.rpm
 54c74f133bcf8cf6791cc97ef9c2e2f2  x86_64/10.2/RPMS/texinfo-4.8-1.1.102mdk.x86_64.rpm
 e018dbb4a415940d5c5062c4cdd01a1f  x86_64/10.2/SRPMS/texinfo-4.8-1.1.102mdk.src.rpm

 Mandrivalinux 2006.0:
 8b6d88e8dc11347d15daaecea9614350  2006.0/RPMS/info-4.8-1.1.20060mdk.i586.rpm
 db1fb3ef2f3810ad044f7ceb0e7f28ba  2006.0/RPMS/info-install-4.8-1.1.20060mdk.i586.rpm
 71bd982b51dd4ce475bff38b13e602ee  2006.0/RPMS/texinfo-4.8-1.1.20060mdk.i586.rpm
 727c5b4c31890156019eeaa67693d169  2006.0/SRPMS/texinfo-4.8-1.1.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 1ebc92ec90e633ed7bd2c23df56db8e6  x86_64/2006.0/RPMS/info-4.8-1.1.20060mdk.x86_64.rpm
 52a3c172223d5c4fac673719232df4b5  x86_64/2006.0/RPMS/info-install-4.8-1.1.20060mdk.x86_64.rpm
 ad9da3a4cfa7e804c2880a94622bbe66  x86_64/2006.0/RPMS/texinfo-4.8-1.1.20060mdk.x86_64.rpm
 727c5b4c31890156019eeaa67693d169  x86_64/2006.0/SRPMS/texinfo-4.8-1.1.20060mdk.src.rpm

 Corporate Server 2.1:
 af212fb87728fcb48c736f5f30f0a906  corporate/2.1/RPMS/info-4.2-5.1.C21mdk.i586.rpm
 256c91dbdf2650f5323c9294916eb25c  corporate/2.1/RPMS/info-install-4.2-5.1.C21mdk.i586.rpm
 37f29e7fc13e78f1de4213591a028723  corporate/2.1/RPMS/texinfo-4.2-5.1.C21mdk.i586.rpm
 8c4df474276402f88497af71c8e6586a  corporate/2.1/SRPMS/texinfo-4.2-5.1.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 32d0a4f0f9e9d14bfb34368f5d5e429e  x86_64/corporate/2.1/RPMS/info-4.2-5.1.C21mdk.x86_64.rpm
 8df053321dd699e94bfed39387df0541  x86_64/corporate/2.1/RPMS/info-install-4.2-5.1.C21mdk.x86_64.rpm
 44a60c312004ed7490a802521559ddae  x86_64/corporate/2.1/RPMS/texinfo-4.2-5.1.C21mdk.x86_64.rpm
 8c4df474276402f88497af71c8e6586a  x86_64/corporate/2.1/SRPMS/texinfo-4.2-5.1.C21mdk.src.rpm

 Corporate 3.0:
 9556168c04d13c9a6a3f6e7015a398de  corporate/3.0/RPMS/info-4.6-1.1.C30mdk.i586.rpm
 ed35b999cc4037b9ad7f838eb641a837  corporate/3.0/RPMS/info-install-4.6-1.1.C30mdk.i586.rpm
 7f26434349820297ee62871c754c61d4  corporate/3.0/RPMS/texinfo-4.6-1.1.C30mdk.i586.rpm
 83cb27358b6e352de4f1173407175823  corporate/3.0/SRPMS/texinfo-4.6-1.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 217fc652b60c5aac4e9c17ea69f5ab33  x86_64/corporate/3.0/RPMS/info-4.6-1.1.C30mdk.x86_64.rpm
 7c3eee4af8b915337903ed6f8e8cedaf  x86_64/corporate/3.0/RPMS/info-install-4.6-1.1.C30mdk.x86_64.rpm
 11af71727eee1214d330d34ff9dbfe54  x86_64/corporate/3.0/RPMS/texinfo-4.6-1.1.C30mdk.x86_64.rpm
 83cb27358b6e352de4f1173407175823  x86_64/corporate/3.0/SRPMS/texinfo-4.6-1.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDReZ8mqjQ0CJFipgRAoymAKDLn6IhPLD9vE+NqmNAAuin7vxb0ACgkEAi
KXYDLCSKSV2dxCpZ/Rq1BqM=
=axcM
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ