Fedora Update Notification
FEDORA-2004-108
2004-04-21
---------------------------------------------------------------------

Name        : utempter
Version     : 0.5.5                      
Release     : 3.FC1.0                  
Summary     : A privileged helper for utmp/wtmp updates.
Description :
Utempter is a utility which allows some non-privileged programs to
have required root access without compromising system
security. Utempter accomplishes this feat by acting as a buffer
between root and the programs.

---------------------------------------------------------------------
Update Information:

Topic:
An updated utempter package that fixes a potential symlink vulnerability is
now available.

Problem Description:
Utempter is a utility that allows terminal applications such as xterm and
screen to update utmp and wtmp without requiring root privileges.

Steve Grubb discovered a flaw in Utempter which allowed device names
containing directory traversal sequences such as '/../'. In combination
with an application that trusts the utmp or wtmp files, this could allow a
local attacker the ability to overwrite privileged files using a symlink.

Users should upgrade to this new version of utempter, which fixes this
vulnerability. 
---------------------------------------------------------------------
* Tue Apr 20 2004 Mike A. Harris <mharris@redhat.com> 0.5.5-4

- Build 0.5.5-1 version as 0.5.5-1.2.1EL.0 for RHEL 2.1 erratum
- Build 0.5.5-1 version as 0.5.5-1.3EL.0 for RHEL 3 erratum
- Build 0.5.5-1 version as 0.5.5-2.RHL9.0 for RHL 9 erratum
- Build 0.5.5-1 version as 0.5.5-3.FC1.0 for Fedora Core 1 erratum
- Build 0.5.5-1 version as 0.5.5-4 for Fedora Core 2 development head

* Mon Apr 19 2004 Mike A. Harris <mharris@redhat.com> 0.5.5-1

- [SECURITY] Fix CAN-2004-0233 utempter directory traversal symlink attack
  issue for immediate erratum release.
- Build all-arch test package 0.5.5-1 in dist-fc2-scratch

* Mon Feb 23 2004 Mike A. Harris <mharris@redhat.com> 0.5.4-1

- Rewrote post install script to be a bit cleaner and rebuilt in rawhide to
  pick up twaugh's chown change
- Added 'srpm-x' target to Makefile for package maintainer SRPM building

* Mon Feb 23 2004 Tim Waugh <twaugh@redhat.com>

- Use ':' instead of '.' as separator for chown.


---------------------------------------------------------------------
This update can be downloaded from:
    

f7183d6339a8bdaa5b42a55b9bf1915a  SRPMS/utempter-0.5.5-3.FC1.0.src.rpm
6d211a469244cd656fcff3464d00e3e0  i386/utempter-0.5.5-3.FC1.0.i386.rpm
86e078c46a04eceb0c5e05f6a428214d  i386/debug/utempter-debuginfo-0.5.5-3.FC1.0.i386.rpm
f5946681eddc62e62296e64b29f176a8  x86_64/utempter-0.5.5-3.FC1.0.x86_64.rpm
fbd974095834794b31aa89aa50d14d90  x86_64/debug/utempter-debuginfo-0.5.5-3.FC1.0.x86_64.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
---------------------------------------------------------------------

Fedora: utempter Improper directory traversal vulnerability

April 21, 2004
An updated utempter package that fixes a potential symlink vulnerability is now available.

Summary

Utempter is a utility which allows some non-privileged programs to

have required root access without compromising system

security. Utempter accomplishes this feat by acting as a buffer

between root and the programs.

Update Information:

Topic: An updated utempter package that fixes a potential symlink vulnerability is now available.

Problem Description: Utempter is a utility that allows terminal applications such as xterm and screen to update utmp and wtmp without requiring root privileges.

Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as '/../'. In combination with an application that trusts the utmp or wtmp files, this could allow a local attacker the ability to overwrite privileged files using a symlink.

Users should upgrade to this new version of utempter, which fixes this vulnerability. * Tue Apr 20 2004 Mike A. Harris <mharris@redhat.com> 0.5.5-4

- Build 0.5.5-1 version as 0.5.5-1.2.1EL.0 for RHEL 2.1 erratum - Build 0.5.5-1 version as 0.5.5-1.3EL.0 for RHEL 3 erratum - Build 0.5.5-1 version as 0.5.5-2.RHL9.0 for RHL 9 erratum - Build 0.5.5-1 version as 0.5.5-3.FC1.0 for Fedora Core 1 erratum - Build 0.5.5-1 version as 0.5.5-4 for Fedora Core 2 development head

* Mon Apr 19 2004 Mike A. Harris <mharris@redhat.com> 0.5.5-1

- [SECURITY] Fix CAN-2004-0233 utempter directory traversal symlink attack issue for immediate erratum release. - Build all-arch test package 0.5.5-1 in dist-fc2-scratch

* Mon Feb 23 2004 Mike A. Harris <mharris@redhat.com> 0.5.4-1

- Rewrote post install script to be a bit cleaner and rebuilt in rawhide to pick up twaugh's chown change - Added 'srpm-x' target to Makefile for package maintainer SRPM building

* Mon Feb 23 2004 Tim Waugh <twaugh@redhat.com>

- Use ':' instead of '.' as separator for chown.


This update can be downloaded from:


f7183d6339a8bdaa5b42a55b9bf1915a SRPMS/utempter-0.5.5-3.FC1.0.src.rpm 6d211a469244cd656fcff3464d00e3e0 i386/utempter-0.5.5-3.FC1.0.i386.rpm 86e078c46a04eceb0c5e05f6a428214d i386/debug/utempter-debuginfo-0.5.5-3.FC1.0.i386.rpm f5946681eddc62e62296e64b29f176a8 x86_64/utempter-0.5.5-3.FC1.0.x86_64.rpm fbd974095834794b31aa89aa50d14d90 x86_64/debug/utempter-debuginfo-0.5.5-3.FC1.0.x86_64.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Change Log

References

Fedora Update Notification FEDORA-2004-108 2004-04-21 Name : utempter Version : 0.5.5 Release : 3.FC1.0 Summary : A privileged helper for utmp/wtmp updates. Description : Utempter is a utility which allows some non-privileged programs to have required root access without compromising system security. Utempter accomplishes this feat by acting as a buffer between root and the programs.

Update Instructions

Severity
Name : utempter
Version : 0.5.5
Release : 3.FC1.0
Summary : A privileged helper for utmp/wtmp updates.

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved