[Full-disclosure] MDKSA-2005:175 - Updated texinfo packages fix temporary file vulnerability

From: Mandriva Security Team (security_at_mandriva.com)
Date: 10/07/05

  • Next message: offtopic: "RE: [Full-disclosure] Websites vulnerabilities disclosure"
    To: full-disclosure@lists.grok.org.uk
    Date: Thu, 06 Oct 2005 21:07:40 -0600
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                    Mandriva Linux Security Update Advisory
     _______________________________________________________________________

     Package name: texinfo
     Advisory ID: MDKSA-2005:175
     Date: October 6th, 2005

     Affected versions: 10.1, 10.2, 2006.0, Corporate 3.0,
                             Corporate Server 2.1
     ______________________________________________________________________

     Problem Description:

     Frank Lichtenheld has discovered that texindex insecurely creates
     temporary files with predictable filenames. This is exploitable if
     a local attacker were to create symbolic links in the temporary files
     directory, pointing to a valid file on the filesystem. When texindex
     is executed, the file would be overwitten with the rights of the user
     running texindex.
     
     The updated packages have been patched to correct this issue.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011
     ______________________________________________________________________

     Updated Packages:
      
     Mandrivalinux 10.1:
     76e53b496b39c7b28f0267a90ba586a8 10.1/RPMS/info-4.7-2.1.101mdk.i586.rpm
     10cd78726493bda942913b5584bcf0ea 10.1/RPMS/info-install-4.7-2.1.101mdk.i586.rpm
     25b0fff505495b5b4b80ffcf113ecb15 10.1/RPMS/texinfo-4.7-2.1.101mdk.i586.rpm
     e47fb813ed54544bd93b6897031b6d2d 10.1/SRPMS/texinfo-4.7-2.1.101mdk.src.rpm

     Mandrivalinux 10.1/X86_64:
     5f47ff5b3e06addb1924f92b8ade046f x86_64/10.1/RPMS/info-4.7-2.1.101mdk.x86_64.rpm
     66cb5ffb24e9e263cfe2af552b5f2ac1 x86_64/10.1/RPMS/info-install-4.7-2.1.101mdk.x86_64.rpm
     bda2aa2a304be57fa28f2879b85fc9c0 x86_64/10.1/RPMS/texinfo-4.7-2.1.101mdk.x86_64.rpm
     e47fb813ed54544bd93b6897031b6d2d x86_64/10.1/SRPMS/texinfo-4.7-2.1.101mdk.src.rpm

     Mandrivalinux 10.2:
     da38f9033ba2495d786bbb95bcee6c9f 10.2/RPMS/info-4.8-1.1.102mdk.i586.rpm
     e1dbdf1b7c0ad41fde7bab6cab92be6f 10.2/RPMS/info-install-4.8-1.1.102mdk.i586.rpm
     2b0c6e496d0adfa9b8c486c048c5cd65 10.2/RPMS/texinfo-4.8-1.1.102mdk.i586.rpm
     e018dbb4a415940d5c5062c4cdd01a1f 10.2/SRPMS/texinfo-4.8-1.1.102mdk.src.rpm

     Mandrivalinux 10.2/X86_64:
     9baa45ce2070d15f35062c41a574bf4f x86_64/10.2/RPMS/info-4.8-1.1.102mdk.x86_64.rpm
     821d86aeae3923411e2667ea8cca3723 x86_64/10.2/RPMS/info-install-4.8-1.1.102mdk.x86_64.rpm
     54c74f133bcf8cf6791cc97ef9c2e2f2 x86_64/10.2/RPMS/texinfo-4.8-1.1.102mdk.x86_64.rpm
     e018dbb4a415940d5c5062c4cdd01a1f x86_64/10.2/SRPMS/texinfo-4.8-1.1.102mdk.src.rpm

     Mandrivalinux 2006.0:
     8b6d88e8dc11347d15daaecea9614350 2006.0/RPMS/info-4.8-1.1.20060mdk.i586.rpm
     db1fb3ef2f3810ad044f7ceb0e7f28ba 2006.0/RPMS/info-install-4.8-1.1.20060mdk.i586.rpm
     71bd982b51dd4ce475bff38b13e602ee 2006.0/RPMS/texinfo-4.8-1.1.20060mdk.i586.rpm
     727c5b4c31890156019eeaa67693d169 2006.0/SRPMS/texinfo-4.8-1.1.20060mdk.src.rpm

     Mandrivalinux 2006.0/X86_64:
     1ebc92ec90e633ed7bd2c23df56db8e6 x86_64/2006.0/RPMS/info-4.8-1.1.20060mdk.x86_64.rpm
     52a3c172223d5c4fac673719232df4b5 x86_64/2006.0/RPMS/info-install-4.8-1.1.20060mdk.x86_64.rpm
     ad9da3a4cfa7e804c2880a94622bbe66 x86_64/2006.0/RPMS/texinfo-4.8-1.1.20060mdk.x86_64.rpm
     727c5b4c31890156019eeaa67693d169 x86_64/2006.0/SRPMS/texinfo-4.8-1.1.20060mdk.src.rpm

     Corporate Server 2.1:
     af212fb87728fcb48c736f5f30f0a906 corporate/2.1/RPMS/info-4.2-5.1.C21mdk.i586.rpm
     256c91dbdf2650f5323c9294916eb25c corporate/2.1/RPMS/info-install-4.2-5.1.C21mdk.i586.rpm
     37f29e7fc13e78f1de4213591a028723 corporate/2.1/RPMS/texinfo-4.2-5.1.C21mdk.i586.rpm
     8c4df474276402f88497af71c8e6586a corporate/2.1/SRPMS/texinfo-4.2-5.1.C21mdk.src.rpm

     Corporate Server 2.1/X86_64:
     32d0a4f0f9e9d14bfb34368f5d5e429e x86_64/corporate/2.1/RPMS/info-4.2-5.1.C21mdk.x86_64.rpm
     8df053321dd699e94bfed39387df0541 x86_64/corporate/2.1/RPMS/info-install-4.2-5.1.C21mdk.x86_64.rpm
     44a60c312004ed7490a802521559ddae x86_64/corporate/2.1/RPMS/texinfo-4.2-5.1.C21mdk.x86_64.rpm
     8c4df474276402f88497af71c8e6586a x86_64/corporate/2.1/SRPMS/texinfo-4.2-5.1.C21mdk.src.rpm

     Corporate 3.0:
     9556168c04d13c9a6a3f6e7015a398de corporate/3.0/RPMS/info-4.6-1.1.C30mdk.i586.rpm
     ed35b999cc4037b9ad7f838eb641a837 corporate/3.0/RPMS/info-install-4.6-1.1.C30mdk.i586.rpm
     7f26434349820297ee62871c754c61d4 corporate/3.0/RPMS/texinfo-4.6-1.1.C30mdk.i586.rpm
     83cb27358b6e352de4f1173407175823 corporate/3.0/SRPMS/texinfo-4.6-1.1.C30mdk.src.rpm

     Corporate 3.0/X86_64:
     217fc652b60c5aac4e9c17ea69f5ab33 x86_64/corporate/3.0/RPMS/info-4.6-1.1.C30mdk.x86_64.rpm
     7c3eee4af8b915337903ed6f8e8cedaf x86_64/corporate/3.0/RPMS/info-install-4.6-1.1.C30mdk.x86_64.rpm
     11af71727eee1214d330d34ff9dbfe54 x86_64/corporate/3.0/RPMS/texinfo-4.6-1.1.C30mdk.x86_64.rpm
     83cb27358b6e352de4f1173407175823 x86_64/corporate/3.0/SRPMS/texinfo-4.6-1.1.C30mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandriva for security. You can obtain the
     GPG public key of the Mandriva Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandriva Linux at:

      http://www.mandriva.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_(at)_mandriva.com
     _______________________________________________________________________

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Mandriva Security Team
      <security*mandriva.com>

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFDReZ8mqjQ0CJFipgRAoymAKDLn6IhPLD9vE+NqmNAAuin7vxb0ACgkEAi
    KXYDLCSKSV2dxCpZ/Rq1BqM=
    =axcM
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: offtopic: "RE: [Full-disclosure] Websites vulnerabilities disclosure"

    Relevant Pages