[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Ov01R-0000zw-IX@titan.mandriva.com>
Date: Mon, 13 Sep 2010 05:48:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:180 ] rpm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:180
http://www.mandriva.com/security/
_______________________________________________________________________
Package : rpm
Date : September 13, 2010
Affected: 2009.0, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in rpm:
lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and
RPM before 4.4.3, does not properly reset the metadata of an executable
file during replacement of the file in an RPM package upgrade, which
might allow local users to gain privileges by creating a hard link
to a vulnerable (1) setuid or (2) setgid file (CVE-2010-2059).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4889
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
fa15345f1bf67d79a08dcad06a3b335f 2009.0/i586/libpopt0-1.10.8-32.1mdv2009.0.i586.rpm
e085756e7cbb462ad9e075c8aad25132 2009.0/i586/libpopt-devel-1.10.8-32.1mdv2009.0.i586.rpm
34e473060df48dad0efc80f6c6c9b3c8 2009.0/i586/librpm4.4-4.4.2.3-20.1mnb2.i586.rpm
8a4d91bd5b5cb7d06ac806a77b11a940 2009.0/i586/librpm-devel-4.4.2.3-20.1mnb2.i586.rpm
0a4e5395fc3b3786999918e21360359b 2009.0/i586/popt-data-1.10.8-32.1mdv2009.0.i586.rpm
d41d2589155531cfee87a091f9f89539 2009.0/i586/python-rpm-4.4.2.3-20.1mnb2.i586.rpm
724452dc5531f53a72d1ae8d91303617 2009.0/i586/rpm-4.4.2.3-20.1mnb2.i586.rpm
b7adacc04471296f7b5b9fc342ec2d68 2009.0/i586/rpm-build-4.4.2.3-20.1mnb2.i586.rpm
967e30ebc67369e0b21bb5c7f399e30d 2009.0/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm
Mandriva Linux 2009.0/X86_64:
98232ad6b8baeb0f6a50f22bb46a4ce3 2009.0/x86_64/lib64popt0-1.10.8-32.1mdv2009.0.x86_64.rpm
b5d31c766354288891124a6a8b0dbc19 2009.0/x86_64/lib64popt-devel-1.10.8-32.1mdv2009.0.x86_64.rpm
96a8cac433cfed95a2741173768ad8f6 2009.0/x86_64/lib64rpm4.4-4.4.2.3-20.1mnb2.x86_64.rpm
0c0927ae1fc9a626a466588b779d262e 2009.0/x86_64/lib64rpm-devel-4.4.2.3-20.1mnb2.x86_64.rpm
90ad635496f675505bc3834ca8c60822 2009.0/x86_64/popt-data-1.10.8-32.1mdv2009.0.x86_64.rpm
063b6e9e3c0fc8887a7be8e481fa277e 2009.0/x86_64/python-rpm-4.4.2.3-20.1mnb2.x86_64.rpm
3bef4cab40149ccb2aa038c1b32e5f2a 2009.0/x86_64/rpm-4.4.2.3-20.1mnb2.x86_64.rpm
0b655d3af90e7d1eb2d4e59b0e160f5c 2009.0/x86_64/rpm-build-4.4.2.3-20.1mnb2.x86_64.rpm
967e30ebc67369e0b21bb5c7f399e30d 2009.0/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm
Corporate 4.0:
cd4f97d9f90c54f76bdb54bba0fc5a0f corporate/4.0/i586/libpopt0-1.10.2-4.2.20060mlcs4.i586.rpm
0f3da3fa186fbe5c313aa0acdafd8ffa corporate/4.0/i586/libpopt0-devel-1.10.2-4.2.20060mlcs4.i586.rpm
217a7fe6dffe2e51909d92a8ab06713a corporate/4.0/i586/librpm4.4-4.4.2-4.2.20060mlcs4.i586.rpm
54bc36df51e6c68121890dd2029e1c94 corporate/4.0/i586/librpm4.4-devel-4.4.2-4.2.20060mlcs4.i586.rpm
85cbc98e200727d0f08002890ba72c1f corporate/4.0/i586/popt-data-1.10.2-4.2.20060mlcs4.i586.rpm
b1dc2b338a5c30ff598a1b094caf0c0d corporate/4.0/i586/python-rpm-4.4.2-4.2.20060mlcs4.i586.rpm
d697e6586174e9f1cae798dce607ba86 corporate/4.0/i586/rpm-4.4.2-4.2.20060mlcs4.i586.rpm
083b4e31320c505fdde4dbb486135ae6 corporate/4.0/i586/rpm-build-4.4.2-4.2.20060mlcs4.i586.rpm
9e2fb6a22e148e3c943c8bf80e053301 corporate/4.0/SRPMS/rpm-4.4.2-4.2.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
e1f2ea23bc539080ce9ae48dfff7aa3b corporate/4.0/x86_64/lib64popt0-1.10.2-4.2.20060mlcs4.x86_64.rpm
9c70d54050efa44b588c5ccd31149f22 corporate/4.0/x86_64/lib64popt0-devel-1.10.2-4.2.20060mlcs4.x86_64.rpm
9a61e76e1b9422e60e35f9bf0f4e981a corporate/4.0/x86_64/lib64rpm4.4-4.4.2-4.2.20060mlcs4.x86_64.rpm
d7026b2dce06e9f20979704748c7eea6 corporate/4.0/x86_64/lib64rpm4.4-devel-4.4.2-4.2.20060mlcs4.x86_64.rpm
9ceb6720eb17b55a24d3e50a1d1ed9aa corporate/4.0/x86_64/popt-data-1.10.2-4.2.20060mlcs4.x86_64.rpm
645f0acdc04c25aef2735c9d32be1303 corporate/4.0/x86_64/python-rpm-4.4.2-4.2.20060mlcs4.x86_64.rpm
6a83c09532087105fe8858af533983b3 corporate/4.0/x86_64/rpm-4.4.2-4.2.20060mlcs4.x86_64.rpm
b829957c44af2803e7f30672ad2a85d3 corporate/4.0/x86_64/rpm-build-4.4.2-4.2.20060mlcs4.x86_64.rpm
9e2fb6a22e148e3c943c8bf80e053301 corporate/4.0/SRPMS/rpm-4.4.2-4.2.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
f776747005a841776744111f0a8a8e08 mes5/i586/libpopt0-1.10.8-32.1mdvmes5.1.i586.rpm
3c0093f3024fb86fa7eb2ee671bd7a3f mes5/i586/libpopt-devel-1.10.8-32.1mdvmes5.1.i586.rpm
04c8b6b32a75bdbfe7cfdf753de5d346 mes5/i586/librpm4.4-4.4.2.3-20.1mnb2.i586.rpm
605883a0b22cee54d863e9c1c8ef6e8d mes5/i586/librpm-devel-4.4.2.3-20.1mnb2.i586.rpm
7e09701bff28a534e57c5ce7b32ba0de mes5/i586/popt-data-1.10.8-32.1mdvmes5.1.i586.rpm
0303ca138c2028160b520dd23c9a7ebb mes5/i586/python-rpm-4.4.2.3-20.1mnb2.i586.rpm
e7186039a1963f2e683b139ffe4f2b25 mes5/i586/rpm-4.4.2.3-20.1mnb2.i586.rpm
d30b3740649fea15761383f02798b4a1 mes5/i586/rpm-build-4.4.2.3-20.1mnb2.i586.rpm
830a5096583811ccaa2bcf472162ef58 mes5/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm
Mandriva Enterprise Server 5/X86_64:
066fccad93ad654c2261cf798039a14d mes5/x86_64/lib64popt0-1.10.8-32.1mdvmes5.1.x86_64.rpm
ce023ecbd55217cc0bc525e8a49d0ca1 mes5/x86_64/lib64popt-devel-1.10.8-32.1mdvmes5.1.x86_64.rpm
842fc3b631936e6bcc757abab94bd43e mes5/x86_64/lib64rpm4.4-4.4.2.3-20.1mnb2.x86_64.rpm
65242d3af33eec8a60dc65e927acba23 mes5/x86_64/lib64rpm-devel-4.4.2.3-20.1mnb2.x86_64.rpm
9abca8b6c1a0b2dcd5b8470ea58a1a0a mes5/x86_64/popt-data-1.10.8-32.1mdvmes5.1.x86_64.rpm
bb7bd25a8af5a4a8f65d22f93325bf41 mes5/x86_64/python-rpm-4.4.2.3-20.1mnb2.x86_64.rpm
a92833fc3446f532b502c1eca510c397 mes5/x86_64/rpm-4.4.2.3-20.1mnb2.x86_64.rpm
bc45add2a88207c52f306569d7a5a5db mes5/x86_64/rpm-build-4.4.2.3-20.1mnb2.x86_64.rpm
830a5096583811ccaa2bcf472162ef58 mes5/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFMjXFDmqjQ0CJFipgRAiQMAKCA/tEwPO/XEgxl5kmGzr+7ggbW8wCgr7eb
7DGZPpGWmV7PfAeWrRymf9I=
=m5rf
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists