[Full-Disclosure] MDKSA-2004:007 - Updated mc packages fix buffer overflow vulnerability

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 01/27/04

  • Next message: Wanja Eric Naef [IWS]: "[Full-Disclosure] PSEPC AL04-001 (W32.Novarg.A@mm (W32/Mydoom@MM))"
    To: full-disclosure@lists.netsys.com
    Date: 27 Jan 2004 00:55:49 -0000
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                    Mandrake Linux Security Update Advisory
     _______________________________________________________________________

     Package name: mc
     Advisory ID: MDKSA-2004:007
     Date: January 26th, 2004

     Affected versions: 9.1, 9.2, Corporate Server 2.1
     ______________________________________________________________________

     Problem Description:

     A buffer overflow was discovered in mc's virtual filesystem code.
     This vulnerability could allow remote attackers to execute arbitrary
     code during symlink conversion.
     
     The updated packages have been patched to correct the problem.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023
     ______________________________________________________________________

     Updated Packages:
      
     Corporate Server 2.1:
     38317ed34ca1a0ce54018c85d808106a corporate/2.1/RPMS/mc-4.5.55-10.1.C21mdk.i586.rpm
     1dd6c6ffab24a3ce7b57242c6912a44e corporate/2.1/RPMS/mcserv-4.5.55-10.1.C21mdk.i586.rpm
     46277f91fbcdce43d6c142d912e87297 corporate/2.1/SRPMS/mc-4.5.55-10.1.C21mdk.src.rpm

     Corporate Server 2.1/x86_64:
     751dbc6182f482731db02998137d49d0 x86_64/corporate/2.1/RPMS/mc-4.5.55-10.1.C21mdk.x86_64.rpm
     cd3f95e756d6f5144d107f277429834d x86_64/corporate/2.1/RPMS/mcserv-4.5.55-10.1.C21mdk.x86_64.rpm
     46277f91fbcdce43d6c142d912e87297 x86_64/corporate/2.1/SRPMS/mc-4.5.55-10.1.C21mdk.src.rpm

     Mandrake Linux 9.1:
     62e5337a90f9bd712f9bb125d0140fb3 9.1/RPMS/mc-4.6.0-4.1.91mdk.i586.rpm
     fd218112b274a0dd6bb920baa84b31a8 9.1/SRPMS/mc-4.6.0-4.1.91mdk.src.rpm

     Mandrake Linux 9.1/PPC:
     3c217e26bef6c2d9c9c98cf13ddcf51c ppc/9.1/RPMS/mc-4.6.0-4.1.91mdk.ppc.rpm
     fd218112b274a0dd6bb920baa84b31a8 ppc/9.1/SRPMS/mc-4.6.0-4.1.91mdk.src.rpm

     Mandrake Linux 9.2:
     47f0fb32e7ffb1a85a6f0f2680bc6221 9.2/RPMS/mc-4.6.0-4.1.92mdk.i586.rpm
     edd4a1feb126d7cf7e2b74ccbc0997bf 9.2/SRPMS/mc-4.6.0-4.1.92mdk.src.rpm

     Mandrake Linux 9.2/AMD64:
     bcabfcfdaaf3f3659cf9115ac6c02f9a amd64/9.2/RPMS/mc-4.6.0-4.1.92mdk.amd64.rpm
     edd4a1feb126d7cf7e2b74ccbc0997bf amd64/9.2/SRPMS/mc-4.6.0-4.1.92mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     A list of FTP mirrors can be obtained from:

      http://www.mandrakesecure.net/en/ftp.php

     All packages are signed by MandrakeSoft for security. You can obtain
     the GPG public key of the Mandrake Linux Security Team by executing:

      gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

     Please be aware that sometimes it takes the mirrors a few hours to
     update.

     You can view other update advisories for Mandrake Linux at:

      http://www.mandrakesecure.net/en/advisories/

     MandrakeSoft has several security-related mailing list services that
     anyone can subscribe to. Information on these lists can be obtained by
     visiting:

      http://www.mandrakesecure.net/en/mlist.php

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFAFbcVmqjQ0CJFipgRAmEtAJ4nJlzuLbc7/0n9WyVGIT8XvRAbYgCgqjr9
    /uhYv70t8DadHF6+hS6ffLA=
    =Gs+D
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Wanja Eric Naef [IWS]: "[Full-Disclosure] PSEPC AL04-001 (W32.Novarg.A@mm (W32/Mydoom@MM))"