LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 21st, 2014
Linux Security Week: April 7th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandrake: utempter Update to patch MDKSA-2004:031 Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
Mandrake This patch corrects some small problems with the original utempter patch, released April 19th.

Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           utempter
 Advisory ID:            MDKSA-2004:031-1
 Date:                   April 21st, 2004
 Original Advisory Date: April 19th, 2004
 Affected versions:	 10.0, 9.1, 9.2, Corporate Server 2.1,
			 Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 Steve Grubb discovered two potential issues in the utempter program:
 
 1) If the path to the device contained /../ or /./ or //, the                 
 program was not exiting as it should. It would be possible to use something 
 like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked 
 to another important file, programs that have root privileges that do no 
 further validation can then overwrite whatever the symlink pointed to.
                                                                                
 2) Several calls to strncpy without a manual termination of the string.
 This would most likely crash utempter.
 
 The updated packages are patched to correct these problems.
  
Update:

 The second portion of the patch to address the manual termination of 
 the string has been determined to be uneccessary, as well as reducing the 
 length of utmp strings by one character.  As such, it has been removed.
 _______________________________________________________________________

 References:

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0233
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 20728c199dc84538cc1c1c5db70b6784  10.0/SRPMS/utempter-0.5.2-12.2.100mdk.src.rpm
 295d91a84f7495ec66796b06317a6e50  10.0/RPMS/libutempter0-0.5.2-12.2.100mdk.i586.rpm
 f6a6a5bff4c46f68f2e2039f88e281b9  10.0/RPMS/libutempter0-devel-0.5.2-12.2.100mdk.i586.rpm
 80064975fddb9184eed63988ab8d5144  10.0/RPMS/utempter-0.5.2-12.2.100mdk.i586.rpm

 Corporate Server 2.1:
 9c88fb56dd2bf5be45b667dd986b6a93  corporate/2.1/SRPMS/utempter-0.5.2-11.2.C21mdk.src.rpm
 dc2b4c0b75f5829b01e5711a48575acb  corporate/2.1/RPMS/libutempter0-0.5.2-11.2.C21mdk.i586.rpm
 234bf4cd1d11f03999d0389dfb1b92a0  corporate/2.1/RPMS/libutempter0-devel-0.5.2-11.2.C21mdk.i586.rpm
 d8c8193245ee4bb4dd0b29934710d616  corporate/2.1/RPMS/utempter-0.5.2-11.2.C21mdk.i586.rpm

 Corporate Server 2.1/x86_64:
 9c88fb56dd2bf5be45b667dd986b6a93  x86_64/corporate/2.1/SRPMS/utempter-0.5.2-11.2.C21mdk.src.rpm
 c633f8b5c17c2c2005b7ea2e83f88ad3  x86_64/corporate/2.1/RPMS/libutempter0-0.5.2-11.2.C21mdk.x86_64.rpm
 68d6d623e6c20493301d78dc51b64ae6  x86_64/corporate/2.1/RPMS/libutempter0-devel-0.5.2-11.2.C21mdk.x86_64.rpm
 dab90f2133385bf148f104f95031e95b  x86_64/corporate/2.1/RPMS/utempter-0.5.2-11.2.C21mdk.x86_64.rpm

 Mandrakelinux 9.1:
 d5130114cb6a6eac57b13eb91abfef36  9.1/SRPMS/utempter-0.5.2-10.2.91mdk.src.rpm
 0593f4150d6eae47c91e844e39b45a98  9.1/RPMS/libutempter0-0.5.2-10.2.91mdk.i586.rpm
 9fa7cc39c0f06052be6e6a8a961e2ccd  9.1/RPMS/libutempter0-devel-0.5.2-10.2.91mdk.i586.rpm
 0000bb29eff9317cb386eb5674c5f8e3  9.1/RPMS/utempter-0.5.2-10.2.91mdk.i586.rpm

 Mandrakelinux 9.1/PPC:
 d5130114cb6a6eac57b13eb91abfef36  ppc/9.1/SRPMS/utempter-0.5.2-10.2.91mdk.src.rpm
 b63ef5b274759fd8c72f1b756b343275  ppc/9.1/RPMS/libutempter0-0.5.2-10.2.91mdk.ppc.rpm
 ee58c267af2148950cd8ddf0dbd2829f  ppc/9.1/RPMS/libutempter0-devel-0.5.2-10.2.91mdk.ppc.rpm
 d0d22b0acaa39b6a55763c36fb5ba06c  ppc/9.1/RPMS/utempter-0.5.2-10.2.91mdk.ppc.rpm

 Mandrakelinux 9.2:
 7e74a057a62e7b9b673ce6d67afa7787  9.2/SRPMS/utempter-0.5.2-12.2.92mdk.src.rpm
 70753671ed9759554caebf40a5e6045c  9.2/RPMS/libutempter0-0.5.2-12.2.92mdk.i586.rpm
 ae1cad0a2d1bb89c2311f1a331b3af84  9.2/RPMS/libutempter0-devel-0.5.2-12.2.92mdk.i586.rpm
 622767f0ce4824a0d70424932954b5d6  9.2/RPMS/utempter-0.5.2-12.2.92mdk.i586.rpm

 Mandrakelinux 9.2/AMD64:
 7e74a057a62e7b9b673ce6d67afa7787  amd64/9.2/SRPMS/utempter-0.5.2-12.2.92mdk.src.rpm
 1b3fe88346c0abc0f964f397c033b234  amd64/9.2/RPMS/lib64utempter0-0.5.2-12.2.92mdk.amd64.rpm
 bfc40facd647fe21e22f1753556b3e33  amd64/9.2/RPMS/lib64utempter0-devel-0.5.2-12.2.92mdk.amd64.rpm
 3aa865490f19b372a47e34157bbcdaff  amd64/9.2/RPMS/utempter-0.5.2-12.2.92mdk.amd64.rpm

 Multi Network Firewall 8.2:
 3d1f7e6a11e8d342a625a5f2c849ac98  mnf8.2/SRPMS/utempter-0.5.2-5.2.M82mdk.src.rpm
 7b5a0a2804484629e48956f0173bd034  mnf8.2/RPMS/libutempter0-0.5.2-5.2.M82mdk.i586.rpm
 e0187ad9c7ab211e1a6a51344da3ec59  mnf8.2/RPMS/libutempter0-devel-0.5.2-5.2.M82mdk.i586.rpm
 fe94436a22a4547e9d5b499076b431b9  mnf8.2/RPMS/utempter-0.5.2-5.2.M82mdk.i586.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

   http://www.mandrakesecure.net/en/ftp.php

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

 Please be aware that sometimes it takes the mirrors a few hours to
 update.

 You can view other update advisories for Mandrakelinux at:

   http://www.mandrakesecure.net/en/advisories/

 Mandrakesoft has several security-related mailing list services that
 anyone can subscribe to.  Information on these lists can be obtained by
 visiting:

   http://www.mandrakesecure.net/en/mlist.php

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Linux Foundation enlists Microsoft, Google to prevent the next Heartbleed
Heartbleed prompts joint vendor effort to boost OpenSSL, security
F.B.I. Informant Is Tied to Cyberattacks Abroad
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.