[Full-Disclosure] MDKSA-2004:159 - Updated glibc packages fix temporary file vulnerability

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 12/30/04

  • Next message: Juergen Schmidt: "[Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts"
    Date: 30 Dec 2004 03:24:39 -0000
    To: full-disclosure@lists.netsys.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                     Mandrakelinux Security Update Advisory
     _______________________________________________________________________

     Package name: glibc
     Advisory ID: MDKSA-2004:159
     Date: December 29th, 2004

     Affected versions: 10.0, 10.1
     ______________________________________________________________________

     Problem Description:

     The Trustix developers discovered that the catchsegv and glibcbug
     utilities, part of the glibc package, created temporary files in an
     insecure manner. This could allow for a symlink attack to create or
     overwrite arbitrary files with the privileges of the user invoking the
     program.
     
     The updated packages have been patched to correct this issue.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0968
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 10.0:
     d3c0d6fae4d7929830090e8c91466951 10.0/RPMS/glibc-2.3.3-12.8.100mdk.i586.rpm
     478aecbe69470a0466c0b6f685e63282 10.0/RPMS/glibc-debug-2.3.3-12.8.100mdk.i586.rpm
     29313f60b5702b00eb709781f47b2d39 10.0/RPMS/glibc-devel-2.3.3-12.8.100mdk.i586.rpm
     b4e97a220b40a2641bd3285bf2fc990d 10.0/RPMS/glibc-doc-2.3.3-12.8.100mdk.i586.rpm
     b360e6de9b0dc63a7360597b345eb113 10.0/RPMS/glibc-doc-pdf-2.3.3-12.8.100mdk.i586.rpm
     d40de60e1c3021267abe117bf2568b04 10.0/RPMS/glibc-i18ndata-2.3.3-12.8.100mdk.i586.rpm
     21965846712d7db2a19c581a4998dc8c 10.0/RPMS/glibc-profile-2.3.3-12.8.100mdk.i586.rpm
     1df7c34978d7f23e062e2145d75fcd94 10.0/RPMS/glibc-static-devel-2.3.3-12.8.100mdk.i586.rpm
     18cd827de946a15585316e1aedc7f516 10.0/RPMS/glibc-utils-2.3.3-12.8.100mdk.i586.rpm
     5556bc2a07cfb6c7596f8651709e26a3 10.0/RPMS/ldconfig-2.3.3-12.8.100mdk.i586.rpm
     78ada3afab77a2eb0bf69f22e6913a61 10.0/RPMS/nptl-devel-2.3.3-12.8.100mdk.i586.rpm
     33eb2a77406744a96f0b62ac99e6c6b5 10.0/RPMS/nscd-2.3.3-12.8.100mdk.i586.rpm
     e0f8c3de9f84b2a2517e9e436c9d78ad 10.0/RPMS/timezone-2.3.3-12.8.100mdk.i586.rpm
     29e42ae1c249e1e44676356d65e48e8c 10.0/SRPMS/glibc-2.3.3-12.8.100mdk.src.rpm

     Mandrakelinux 10.0/AMD64:
     8f497e10e0fdb577a98e836b599b6ba6 amd64/10.0/RPMS/glibc-2.3.3-12.8.100mdk.amd64.rpm
     85f8288b5b457e99d07157160ea57d99 amd64/10.0/RPMS/glibc-debug-2.3.3-12.8.100mdk.amd64.rpm
     24d3105e9a8604c24490d2f798d2d905 amd64/10.0/RPMS/glibc-devel-2.3.3-12.8.100mdk.amd64.rpm
     0ba375ae866a114ac133419b1fcd6977 amd64/10.0/RPMS/glibc-doc-2.3.3-12.8.100mdk.amd64.rpm
     240367c5128ac78428c67a84207892ec amd64/10.0/RPMS/glibc-doc-pdf-2.3.3-12.8.100mdk.amd64.rpm
     fcdd0f7867c325e4e56282e8ee038cf5 amd64/10.0/RPMS/glibc-i18ndata-2.3.3-12.8.100mdk.amd64.rpm
     335c67618af7d5bc6ee78b535250fa32 amd64/10.0/RPMS/glibc-profile-2.3.3-12.8.100mdk.amd64.rpm
     f513e41b3c9cf834878e82a302031b94 amd64/10.0/RPMS/glibc-static-devel-2.3.3-12.8.100mdk.amd64.rpm
     5ecd5b9c15f28464ef1f0a7a42cb49e2 amd64/10.0/RPMS/glibc-utils-2.3.3-12.8.100mdk.amd64.rpm
     3f55bcf134eb71f267c0894a50cfc8ee amd64/10.0/RPMS/ldconfig-2.3.3-12.8.100mdk.amd64.rpm
     1f64867fe40119309070d2f9cd33f274 amd64/10.0/RPMS/nptl-devel-2.3.3-12.8.100mdk.amd64.rpm
     1f93d5f94052b52a2b42c3f057b24a45 amd64/10.0/RPMS/nscd-2.3.3-12.8.100mdk.amd64.rpm
     a9f02cf82620c6e74341be95bd74b9b6 amd64/10.0/RPMS/timezone-2.3.3-12.8.100mdk.amd64.rpm
     29e42ae1c249e1e44676356d65e48e8c amd64/10.0/SRPMS/glibc-2.3.3-12.8.100mdk.src.rpm

     Mandrakelinux 10.1:
     1bfd1552a89e67230d560837e8a52be8 10.1/RPMS/glibc-2.3.3-23.1.101mdk.i586.rpm
     feaefe712886221650ee11c17c2ee60c 10.1/RPMS/glibc-debug-2.3.3-23.1.101mdk.i586.rpm
     363152222d78953d66a1ab907422c362 10.1/RPMS/glibc-devel-2.3.3-23.1.101mdk.i586.rpm
     c396e0fa56bf99514947db942f603a93 10.1/RPMS/glibc-doc-2.3.3-23.1.101mdk.i586.rpm
     0af69cde9a1ee5a9880ab20a4084ec40 10.1/RPMS/glibc-doc-pdf-2.3.3-23.1.101mdk.i586.rpm
     36af3cda588047bdd0438ab99fc5172a 10.1/RPMS/glibc-i18ndata-2.3.3-23.1.101mdk.i586.rpm
     e2221cb00b488d72cf4c61302771a639 10.1/RPMS/glibc-profile-2.3.3-23.1.101mdk.i586.rpm
     c9eeea5047ce49a11299f038cce43cf2 10.1/RPMS/glibc-static-devel-2.3.3-23.1.101mdk.i586.rpm
     62d1c85236fdc348d5bb8ffc763d43ad 10.1/RPMS/glibc-utils-2.3.3-23.1.101mdk.i586.rpm
     db0df09231bf64cb7aa70c771e15599a 10.1/RPMS/ldconfig-2.3.3-23.1.101mdk.i586.rpm
     3aadb015bad4d08bbae72469836f4d05 10.1/RPMS/nptl-devel-2.3.3-23.1.101mdk.i586.rpm
     a5fcb4e74b84d4fc9d645652527e20d5 10.1/RPMS/nscd-2.3.3-23.1.101mdk.i586.rpm
     47d6540793020f021bfc9c0b9f3b2276 10.1/RPMS/timezone-2.3.3-23.1.101mdk.i586.rpm
     0734f25c465b9ebcf39180a6fdf44d53 10.1/SRPMS/glibc-2.3.3-23.1.101mdk.src.rpm

     Mandrakelinux 10.1/X86_64:
     387ea4a78ad359905011f180d821b258 x86_64/10.1/RPMS/glibc-2.3.3-23.1.101mdk.x86_64.rpm
     622a53d71f3ffdbd80b6adbec1a53d03 x86_64/10.1/RPMS/glibc-debug-2.3.3-23.1.101mdk.x86_64.rpm
     ecbf0ca4f665927cebef470f4b5b0aa2 x86_64/10.1/RPMS/glibc-devel-2.3.3-23.1.101mdk.x86_64.rpm
     bcc5d43efc32b2a3722ab8bac7c086fb x86_64/10.1/RPMS/glibc-doc-2.3.3-23.1.101mdk.x86_64.rpm
     0650cc94e3ff7d3441e196875924ac9e x86_64/10.1/RPMS/glibc-doc-pdf-2.3.3-23.1.101mdk.x86_64.rpm
     72b508b5295d72a8b96c3fe78efa6007 x86_64/10.1/RPMS/glibc-i18ndata-2.3.3-23.1.101mdk.x86_64.rpm
     e6a8a85bc80f481cbb9c2c29dd9ae1f6 x86_64/10.1/RPMS/glibc-profile-2.3.3-23.1.101mdk.x86_64.rpm
     545a8840739ae3716f6234868e5de16f x86_64/10.1/RPMS/glibc-static-devel-2.3.3-23.1.101mdk.x86_64.rpm
     b396d0af7a534763db7359b26c950448 x86_64/10.1/RPMS/glibc-utils-2.3.3-23.1.101mdk.x86_64.rpm
     6fdedd56d68856e638fe1f6dcaea6f17 x86_64/10.1/RPMS/ldconfig-2.3.3-23.1.101mdk.x86_64.rpm
     e2ef0b1a4d2e492328a7d408878c13d7 x86_64/10.1/RPMS/nptl-devel-2.3.3-23.1.101mdk.x86_64.rpm
     37edf16413ba9f036ba5434f31832881 x86_64/10.1/RPMS/nscd-2.3.3-23.1.101mdk.x86_64.rpm
     68b7cdb358e9fbd38eba38dbb9216eed x86_64/10.1/RPMS/timezone-2.3.3-23.1.101mdk.x86_64.rpm
     0734f25c465b9ebcf39180a6fdf44d53 x86_64/10.1/SRPMS/glibc-2.3.3-23.1.101mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandrakesoft for security. You can obtain
     the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesoft.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFB03T2mqjQ0CJFipgRAsGxAJ4w5MrLm/iq1meYV9yMg8sMbCHbrgCguhSR
    l+3oHXol5pgiVuE/RyjXBH0=
    =gAsH
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Juergen Schmidt: "[Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts"

    Relevant Pages