lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Ov01R-0000zw-IX@titan.mandriva.com>
Date: Mon, 13 Sep 2010 05:48:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:180 ] rpm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:180
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : rpm
 Date    : September 13, 2010
 Affected: 2009.0, Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in rpm:
 
 lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and
 RPM before 4.4.3, does not properly reset the metadata of an executable
 file during replacement of the file in an RPM package upgrade, which
 might allow local users to gain privileges by creating a hard link
 to a vulnerable (1) setuid or (2) setgid file (CVE-2010-2059).
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4889
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 fa15345f1bf67d79a08dcad06a3b335f  2009.0/i586/libpopt0-1.10.8-32.1mdv2009.0.i586.rpm
 e085756e7cbb462ad9e075c8aad25132  2009.0/i586/libpopt-devel-1.10.8-32.1mdv2009.0.i586.rpm
 34e473060df48dad0efc80f6c6c9b3c8  2009.0/i586/librpm4.4-4.4.2.3-20.1mnb2.i586.rpm
 8a4d91bd5b5cb7d06ac806a77b11a940  2009.0/i586/librpm-devel-4.4.2.3-20.1mnb2.i586.rpm
 0a4e5395fc3b3786999918e21360359b  2009.0/i586/popt-data-1.10.8-32.1mdv2009.0.i586.rpm
 d41d2589155531cfee87a091f9f89539  2009.0/i586/python-rpm-4.4.2.3-20.1mnb2.i586.rpm
 724452dc5531f53a72d1ae8d91303617  2009.0/i586/rpm-4.4.2.3-20.1mnb2.i586.rpm
 b7adacc04471296f7b5b9fc342ec2d68  2009.0/i586/rpm-build-4.4.2.3-20.1mnb2.i586.rpm 
 967e30ebc67369e0b21bb5c7f399e30d  2009.0/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm

 Mandriva Linux 2009.0/X86_64:
 98232ad6b8baeb0f6a50f22bb46a4ce3  2009.0/x86_64/lib64popt0-1.10.8-32.1mdv2009.0.x86_64.rpm
 b5d31c766354288891124a6a8b0dbc19  2009.0/x86_64/lib64popt-devel-1.10.8-32.1mdv2009.0.x86_64.rpm
 96a8cac433cfed95a2741173768ad8f6  2009.0/x86_64/lib64rpm4.4-4.4.2.3-20.1mnb2.x86_64.rpm
 0c0927ae1fc9a626a466588b779d262e  2009.0/x86_64/lib64rpm-devel-4.4.2.3-20.1mnb2.x86_64.rpm
 90ad635496f675505bc3834ca8c60822  2009.0/x86_64/popt-data-1.10.8-32.1mdv2009.0.x86_64.rpm
 063b6e9e3c0fc8887a7be8e481fa277e  2009.0/x86_64/python-rpm-4.4.2.3-20.1mnb2.x86_64.rpm
 3bef4cab40149ccb2aa038c1b32e5f2a  2009.0/x86_64/rpm-4.4.2.3-20.1mnb2.x86_64.rpm
 0b655d3af90e7d1eb2d4e59b0e160f5c  2009.0/x86_64/rpm-build-4.4.2.3-20.1mnb2.x86_64.rpm 
 967e30ebc67369e0b21bb5c7f399e30d  2009.0/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm

 Corporate 4.0:
 cd4f97d9f90c54f76bdb54bba0fc5a0f  corporate/4.0/i586/libpopt0-1.10.2-4.2.20060mlcs4.i586.rpm
 0f3da3fa186fbe5c313aa0acdafd8ffa  corporate/4.0/i586/libpopt0-devel-1.10.2-4.2.20060mlcs4.i586.rpm
 217a7fe6dffe2e51909d92a8ab06713a  corporate/4.0/i586/librpm4.4-4.4.2-4.2.20060mlcs4.i586.rpm
 54bc36df51e6c68121890dd2029e1c94  corporate/4.0/i586/librpm4.4-devel-4.4.2-4.2.20060mlcs4.i586.rpm
 85cbc98e200727d0f08002890ba72c1f  corporate/4.0/i586/popt-data-1.10.2-4.2.20060mlcs4.i586.rpm
 b1dc2b338a5c30ff598a1b094caf0c0d  corporate/4.0/i586/python-rpm-4.4.2-4.2.20060mlcs4.i586.rpm
 d697e6586174e9f1cae798dce607ba86  corporate/4.0/i586/rpm-4.4.2-4.2.20060mlcs4.i586.rpm
 083b4e31320c505fdde4dbb486135ae6  corporate/4.0/i586/rpm-build-4.4.2-4.2.20060mlcs4.i586.rpm 
 9e2fb6a22e148e3c943c8bf80e053301  corporate/4.0/SRPMS/rpm-4.4.2-4.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 e1f2ea23bc539080ce9ae48dfff7aa3b  corporate/4.0/x86_64/lib64popt0-1.10.2-4.2.20060mlcs4.x86_64.rpm
 9c70d54050efa44b588c5ccd31149f22  corporate/4.0/x86_64/lib64popt0-devel-1.10.2-4.2.20060mlcs4.x86_64.rpm
 9a61e76e1b9422e60e35f9bf0f4e981a  corporate/4.0/x86_64/lib64rpm4.4-4.4.2-4.2.20060mlcs4.x86_64.rpm
 d7026b2dce06e9f20979704748c7eea6  corporate/4.0/x86_64/lib64rpm4.4-devel-4.4.2-4.2.20060mlcs4.x86_64.rpm
 9ceb6720eb17b55a24d3e50a1d1ed9aa  corporate/4.0/x86_64/popt-data-1.10.2-4.2.20060mlcs4.x86_64.rpm
 645f0acdc04c25aef2735c9d32be1303  corporate/4.0/x86_64/python-rpm-4.4.2-4.2.20060mlcs4.x86_64.rpm
 6a83c09532087105fe8858af533983b3  corporate/4.0/x86_64/rpm-4.4.2-4.2.20060mlcs4.x86_64.rpm
 b829957c44af2803e7f30672ad2a85d3  corporate/4.0/x86_64/rpm-build-4.4.2-4.2.20060mlcs4.x86_64.rpm 
 9e2fb6a22e148e3c943c8bf80e053301  corporate/4.0/SRPMS/rpm-4.4.2-4.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 f776747005a841776744111f0a8a8e08  mes5/i586/libpopt0-1.10.8-32.1mdvmes5.1.i586.rpm
 3c0093f3024fb86fa7eb2ee671bd7a3f  mes5/i586/libpopt-devel-1.10.8-32.1mdvmes5.1.i586.rpm
 04c8b6b32a75bdbfe7cfdf753de5d346  mes5/i586/librpm4.4-4.4.2.3-20.1mnb2.i586.rpm
 605883a0b22cee54d863e9c1c8ef6e8d  mes5/i586/librpm-devel-4.4.2.3-20.1mnb2.i586.rpm
 7e09701bff28a534e57c5ce7b32ba0de  mes5/i586/popt-data-1.10.8-32.1mdvmes5.1.i586.rpm
 0303ca138c2028160b520dd23c9a7ebb  mes5/i586/python-rpm-4.4.2.3-20.1mnb2.i586.rpm
 e7186039a1963f2e683b139ffe4f2b25  mes5/i586/rpm-4.4.2.3-20.1mnb2.i586.rpm
 d30b3740649fea15761383f02798b4a1  mes5/i586/rpm-build-4.4.2.3-20.1mnb2.i586.rpm 
 830a5096583811ccaa2bcf472162ef58  mes5/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 066fccad93ad654c2261cf798039a14d  mes5/x86_64/lib64popt0-1.10.8-32.1mdvmes5.1.x86_64.rpm
 ce023ecbd55217cc0bc525e8a49d0ca1  mes5/x86_64/lib64popt-devel-1.10.8-32.1mdvmes5.1.x86_64.rpm
 842fc3b631936e6bcc757abab94bd43e  mes5/x86_64/lib64rpm4.4-4.4.2.3-20.1mnb2.x86_64.rpm
 65242d3af33eec8a60dc65e927acba23  mes5/x86_64/lib64rpm-devel-4.4.2.3-20.1mnb2.x86_64.rpm
 9abca8b6c1a0b2dcd5b8470ea58a1a0a  mes5/x86_64/popt-data-1.10.8-32.1mdvmes5.1.x86_64.rpm
 bb7bd25a8af5a4a8f65d22f93325bf41  mes5/x86_64/python-rpm-4.4.2.3-20.1mnb2.x86_64.rpm
 a92833fc3446f532b502c1eca510c397  mes5/x86_64/rpm-4.4.2.3-20.1mnb2.x86_64.rpm
 bc45add2a88207c52f306569d7a5a5db  mes5/x86_64/rpm-build-4.4.2.3-20.1mnb2.x86_64.rpm 
 830a5096583811ccaa2bcf472162ef58  mes5/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMjXFDmqjQ0CJFipgRAiQMAKCA/tEwPO/XEgxl5kmGzr+7ggbW8wCgr7eb
7DGZPpGWmV7PfAeWrRymf9I=
=m5rf
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ