` 

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated python packages fix predictable temporary file
Advisory ID:       RHSA-2002:202-25
Issue date:        2003-01-21
Updated on:        2003-01-21
Product:           Red Hat Linux
Keywords:          symlink os.excvpe flaw:link
Cross references:  
Obsoletes:         
CVE Names:         CAN-2002-1119
---------------------------------------------------------------------

1. Topic:

An insecure use of a temporary file has been found in Python.  This erratum
provides updated Python packages.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386

3. Problem description:

Python is an interpreted, interactive, object-oriented programming
language.

Zack Weinberg discovered that os._execvpe from os.py in Python 2.2.1 and
earlier creates temporary files with predictable names.  This could allow
local users to execute arbitrary code via a symlink attack.

All users should upgrade to these errata packages which contain a patch to
python 1.5.2 and are not vulnerable to this issue.  Please note that for
Red Hat Linux 7.3 we have updated the python2 packages from version 2.2 to
version 2.2.2.  Red Hat Linux 8.0 shipped a version of Python that already
contained a fix for this issue and is therefore not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 6.2:

SRPMS: 
 

i386: 
  
  
  
  
 

Red Hat Linux 7.0:

SRPMS: 
 

i386: 
  
  
  
  
 

Red Hat Linux 7.1:

SRPMS: 
 

i386: 
  
  
  
  
 

Red Hat Linux 7.2:

SRPMS: 
  
 

i386: 
  
  
  
  
  
  
 

ia64: 
  
  
  
  
  
  
 

Red Hat Linux 7.3:

SRPMS: 
  
 

i386: 
  
  
  
  
  
  
  
  
 



6. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
ea2c7e1f03253f7abf020bd20501a9ed 6.2/en/os/SRPMS/python-1.5.2-42.62.src.rpm
ae807f2515d48688feb63a7d1c36fd41 6.2/en/os/i386/python-1.5.2-42.62.i386.rpm
9e7ec6bea6aeac1f55d7268c17bd005e 6.2/en/os/i386/python-devel-1.5.2-42.62.i386.rpm
24989340e51d52302fed720a304da5fb 6.2/en/os/i386/python-docs-1.5.2-42.62.i386.rpm
c32cfd08bd1b8c1485f9faf992ae4e47 6.2/en/os/i386/python-tools-1.5.2-42.62.i386.rpm
9e6ef79c21074cfd2ba6a9e8f82269fe 6.2/en/os/i386/tkinter-1.5.2-42.62.i386.rpm
f284fbc3bffb9750628b854c66240884 7.0/en/os/SRPMS/python-1.5.2-42.71.src.rpm
67a8b9f482122c94e59be63fb35a6c09 7.0/en/os/i386/python-1.5.2-42.71.i386.rpm
6bb2441e4e774d4036e06470a37f2d05 7.0/en/os/i386/python-devel-1.5.2-42.71.i386.rpm
4bbbde224af5008bcde30363fc97146c 7.0/en/os/i386/python-docs-1.5.2-42.71.i386.rpm
a2d3161c06c800c522da141baa5118b7 7.0/en/os/i386/python-tools-1.5.2-42.71.i386.rpm
55275a32efb84977fa93653fb9cbae2c 7.0/en/os/i386/tkinter-1.5.2-42.71.i386.rpm
f284fbc3bffb9750628b854c66240884 7.1/en/os/SRPMS/python-1.5.2-42.71.src.rpm
67a8b9f482122c94e59be63fb35a6c09 7.1/en/os/i386/python-1.5.2-42.71.i386.rpm
6bb2441e4e774d4036e06470a37f2d05 7.1/en/os/i386/python-devel-1.5.2-42.71.i386.rpm
4bbbde224af5008bcde30363fc97146c 7.1/en/os/i386/python-docs-1.5.2-42.71.i386.rpm
a2d3161c06c800c522da141baa5118b7 7.1/en/os/i386/python-tools-1.5.2-42.71.i386.rpm
55275a32efb84977fa93653fb9cbae2c 7.1/en/os/i386/tkinter-1.5.2-42.71.i386.rpm
a47d3a73c49783e1cd5b83cbef60652f 7.2/en/os/SRPMS/python-1.5.2-42.72.src.rpm
b4e68654b049c6af907f098afd29a4be 7.2/en/os/SRPMS/python2-2.1.1-2.72.src.rpm
389afc3097788a96b0835ebc46ac16d3 7.2/en/os/i386/python-1.5.2-42.72.i386.rpm
a4fd8f4787c56603613e9f3e12d6aa27 7.2/en/os/i386/python-devel-1.5.2-42.72.i386.rpm
686d90f9f8462ebc2dc7f0c05bf1612e 7.2/en/os/i386/python-docs-1.5.2-42.72.i386.rpm
ac3c101c4d388b2086412fa1ecae38c6 7.2/en/os/i386/python-tools-1.5.2-42.72.i386.rpm
d1832d93442ddac585427b460b02c1c8 7.2/en/os/i386/python2-2.1.1-2.72.i386.rpm
e1c3352394e1cd824e615742ca029298 7.2/en/os/i386/python2-devel-2.1.1-2.72.i386.rpm
9bee09c2165510ef87d5b1d6c5170760 7.2/en/os/i386/tkinter-1.5.2-42.72.i386.rpm
a59c47d8d4d089f83b834105b9d22f69 7.2/en/os/ia64/python-1.5.2-42.72.ia64.rpm
1a2c0e209e264928d2f84154e182248d 7.2/en/os/ia64/python-devel-1.5.2-42.72.ia64.rpm
290383a0ec1a271e5f6a17b7bc821ed8 7.2/en/os/ia64/python-docs-1.5.2-42.72.ia64.rpm
694c91d88fbfd31a6408781431a5b7fe 7.2/en/os/ia64/python-tools-1.5.2-42.72.ia64.rpm
c5e288bfb51f7cdb1fc7de5a0c900639 7.2/en/os/ia64/python2-2.1.1-2.72.ia64.rpm
729305369876da105810446e32a119bc 7.2/en/os/ia64/python2-devel-2.1.1-2.72.ia64.rpm
85ddf2fcb9679153dc179a3e41d76993 7.2/en/os/ia64/tkinter-1.5.2-42.72.ia64.rpm
f2cf7600b4de21bcb7eaa2e73218cb7c 7.3/en/os/SRPMS/python-1.5.2-42.73.src.rpm
183717dbd2d209c4ab19162c21c41527 7.3/en/os/SRPMS/python2-2.2.2-3.7.3.src.rpm
3349177afa68f1bb3cdefacd2202edad 7.3/en/os/i386/python-1.5.2-42.73.i386.rpm
4d046510dd987f72e521f528d95db38b 7.3/en/os/i386/python-devel-1.5.2-42.73.i386.rpm
ec0936c1821670d1ebb9639bc9f41d5f 7.3/en/os/i386/python-docs-1.5.2-42.73.i386.rpm
b55c4b23cdf5779e244923e944ffdab0 7.3/en/os/i386/python-tools-1.5.2-42.73.i386.rpm
cdd195d8cd81e8c6c42964b7efda4a53 7.3/en/os/i386/python2-2.2.2-3.7.3.i386.rpm
3804e8f39fe53ca69eb9b08e0847239e 7.3/en/os/i386/python2-devel-2.2.2-3.7.3.i386.rpm
e15f24a15999724eb6aad307a3cda429 7.3/en/os/i386/python2-docs-2.2.2-3.7.3.i386.rpm
7e68369c396be300c8abb8334d4cae2d 7.3/en/os/i386/tkinter-1.5.2-42.73.i386.rpm
c4fced6272839041ce9252d06079d43c 7.3/en/os/i386/tkinter2-2.2.2-3.7.3.i386.rpm


These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at  About

You can verify each package with the following command:
    
    rpm --checksig -v 

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum 


7. References:
 
#156556 - python: os.execvpe vulnerability - Debian Bug report logs 
CVE -CVE-2002-1119

8. Contact:

The Red Hat security contact is <security@RedHat.com>.  More contact
details at  All Red Hat products

Copyright 2003 Red Hat, Inc.



_______________________________________________
Red Hat-watch-list mailing list
To unsubscribe, visit: https://listman.RedHat.com/mailman/listinfo/RedHat-watch-list
`

RedHat: python tmp file vulnerability

Zack Weinberg discovered that os._execvpe from os.py in Python <=2.2.1 creates temporary files with predictable names.

Summary



Summary

Python is an interpreted, interactive, object-oriented programminglanguage.Zack Weinberg discovered that os._execvpe from os.py in Python 2.2.1 andearlier creates temporary files with predictable names. This could allowlocal users to execute arbitrary code via a symlink attack.All users should upgrade to these errata packages which contain a patch topython 1.5.2 and are not vulnerable to this issue. Please note that forRed Hat Linux 7.3 we have updated the python2 packages from version 2.2 toversion 2.2.2. Red Hat Linux 8.0 shipped a version of Python that alreadycontained a fix for this issue and is therefore not vulnerable to this issue.


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.
Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 6.2:
SRPMS:

i386:





Red Hat Linux 7.0:
SRPMS:

i386:





Red Hat Linux 7.1:
SRPMS:

i386:





Red Hat Linux 7.2:
SRPMS:


i386:







ia64:







Red Hat Linux 7.3:
SRPMS:


i386:











6. Verification:
MD5 sum Package Name ea2c7e1f03253f7abf020bd20501a9ed 6.2/en/os/SRPMS/python-1.5.2-42.62.src.rpm ae807f2515d48688feb63a7d1c36fd41 6.2/en/os/i386/python-1.5.2-42.62.i386.rpm 9e7ec6bea6aeac1f55d7268c17bd005e 6.2/en/os/i386/python-devel-1.5.2-42.62.i386.rpm 24989340e51d52302fed720a304da5fb 6.2/en/os/i386/python-docs-1.5.2-42.62.i386.rpm c32cfd08bd1b8c1485f9faf992ae4e47 6.2/en/os/i386/python-tools-1.5.2-42.62.i386.rpm 9e6ef79c21074cfd2ba6a9e8f82269fe 6.2/en/os/i386/tkinter-1.5.2-42.62.i386.rpm f284fbc3bffb9750628b854c66240884 7.0/en/os/SRPMS/python-1.5.2-42.71.src.rpm 67a8b9f482122c94e59be63fb35a6c09 7.0/en/os/i386/python-1.5.2-42.71.i386.rpm 6bb2441e4e774d4036e06470a37f2d05 7.0/en/os/i386/python-devel-1.5.2-42.71.i386.rpm 4bbbde224af5008bcde30363fc97146c 7.0/en/os/i386/python-docs-1.5.2-42.71.i386.rpm a2d3161c06c800c522da141baa5118b7 7.0/en/os/i386/python-tools-1.5.2-42.71.i386.rpm 55275a32efb84977fa93653fb9cbae2c 7.0/en/os/i386/tkinter-1.5.2-42.71.i386.rpm f284fbc3bffb9750628b854c66240884 7.1/en/os/SRPMS/python-1.5.2-42.71.src.rpm 67a8b9f482122c94e59be63fb35a6c09 7.1/en/os/i386/python-1.5.2-42.71.i386.rpm 6bb2441e4e774d4036e06470a37f2d05 7.1/en/os/i386/python-devel-1.5.2-42.71.i386.rpm 4bbbde224af5008bcde30363fc97146c 7.1/en/os/i386/python-docs-1.5.2-42.71.i386.rpm a2d3161c06c800c522da141baa5118b7 7.1/en/os/i386/python-tools-1.5.2-42.71.i386.rpm 55275a32efb84977fa93653fb9cbae2c 7.1/en/os/i386/tkinter-1.5.2-42.71.i386.rpm a47d3a73c49783e1cd5b83cbef60652f 7.2/en/os/SRPMS/python-1.5.2-42.72.src.rpm b4e68654b049c6af907f098afd29a4be 7.2/en/os/SRPMS/python2-2.1.1-2.72.src.rpm 389afc3097788a96b0835ebc46ac16d3 7.2/en/os/i386/python-1.5.2-42.72.i386.rpm a4fd8f4787c56603613e9f3e12d6aa27 7.2/en/os/i386/python-devel-1.5.2-42.72.i386.rpm 686d90f9f8462ebc2dc7f0c05bf1612e 7.2/en/os/i386/python-docs-1.5.2-42.72.i386.rpm ac3c101c4d388b2086412fa1ecae38c6 7.2/en/os/i386/python-tools-1.5.2-42.72.i386.rpm d1832d93442ddac585427b460b02c1c8 7.2/en/os/i386/python2-2.1.1-2.72.i386.rpm e1c3352394e1cd824e615742ca029298 7.2/en/os/i386/python2-devel-2.1.1-2.72.i386.rpm 9bee09c2165510ef87d5b1d6c5170760 7.2/en/os/i386/tkinter-1.5.2-42.72.i386.rpm a59c47d8d4d089f83b834105b9d22f69 7.2/en/os/ia64/python-1.5.2-42.72.ia64.rpm 1a2c0e209e264928d2f84154e182248d 7.2/en/os/ia64/python-devel-1.5.2-42.72.ia64.rpm 290383a0ec1a271e5f6a17b7bc821ed8 7.2/en/os/ia64/python-docs-1.5.2-42.72.ia64.rpm 694c91d88fbfd31a6408781431a5b7fe 7.2/en/os/ia64/python-tools-1.5.2-42.72.ia64.rpm c5e288bfb51f7cdb1fc7de5a0c900639 7.2/en/os/ia64/python2-2.1.1-2.72.ia64.rpm 729305369876da105810446e32a119bc 7.2/en/os/ia64/python2-devel-2.1.1-2.72.ia64.rpm 85ddf2fcb9679153dc179a3e41d76993 7.2/en/os/ia64/tkinter-1.5.2-42.72.ia64.rpm f2cf7600b4de21bcb7eaa2e73218cb7c 7.3/en/os/SRPMS/python-1.5.2-42.73.src.rpm 183717dbd2d209c4ab19162c21c41527 7.3/en/os/SRPMS/python2-2.2.2-3.7.3.src.rpm 3349177afa68f1bb3cdefacd2202edad 7.3/en/os/i386/python-1.5.2-42.73.i386.rpm 4d046510dd987f72e521f528d95db38b 7.3/en/os/i386/python-devel-1.5.2-42.73.i386.rpm ec0936c1821670d1ebb9639bc9f41d5f 7.3/en/os/i386/python-docs-1.5.2-42.73.i386.rpm b55c4b23cdf5779e244923e944ffdab0 7.3/en/os/i386/python-tools-1.5.2-42.73.i386.rpm cdd195d8cd81e8c6c42964b7efda4a53 7.3/en/os/i386/python2-2.2.2-3.7.3.i386.rpm 3804e8f39fe53ca69eb9b08e0847239e 7.3/en/os/i386/python2-devel-2.2.2-3.7.3.i386.rpm e15f24a15999724eb6aad307a3cda429 7.3/en/os/i386/python2-docs-2.2.2-3.7.3.i386.rpm 7e68369c396be300c8abb8334d4cae2d 7.3/en/os/i386/tkinter-1.5.2-42.73.i386.rpm c4fced6272839041ce9252d06079d43c 7.3/en/os/i386/tkinter2-2.2.2-3.7.3.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key is available at About
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:
md5sum

References

#156556 - python: os.execvpe vulnerability - Debian Bug report logs CVE -CVE-2002-1119

Package List


Severity
Advisory ID: RHSA-2002:202-25
Issued Date: : 2003-01-21
Updated on: 2003-01-21
Product: Red Hat Linux
Keywords: symlink os.excvpe flaw:link
Cross references:
Obsoletes:
CVE Names: CAN-2002-1119

Topic


Topic

An insecure use of a temporary file has been found in Python. This erratum

provides updated Python packages.


 

Relevant Releases Architectures

Red Hat Linux 6.2 - i386

Red Hat Linux 7.0 - i386

Red Hat Linux 7.1 - i386

Red Hat Linux 7.2 - i386, ia64

Red Hat Linux 7.3 - i386


Bugs Fixed


Related News

1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software
2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved