MDKSA-2005:149 - Updated lm_sensors packages fix temporary file vulnerability

From: Mandriva Security Team (security_at_mandriva.com)
Date: 08/26/05

  • Next message: Dave Hull: "Re: Tool for Identifying Rogue Linksys Routers"
    To: bugtraq@securityfocus.com
    Date: Thu, 25 Aug 2005 16:43:49 -0600
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                    Mandriva Linux Security Update Advisory
     _______________________________________________________________________

     Package name: lm_sensors
     Advisory ID: MDKSA-2005:149
     Date: August 25th, 2005

     Affected versions: 10.0, 10.1, 10.2, Corporate 3.0
     ______________________________________________________________________

     Problem Description:

     Javier Fernandez-Sanguino Pena discovered that the pwmconfig script in
     the lm_sensors package created temporary files in an insecure manner.
     This could allow a symlink attack to create or overwrite arbitrary
     files with full root privileges because pwmconfig is typically executed
     by root.
     
     The updated packages have been patched to correct this problem by using
     mktemp to create the temporary files.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2672
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 10.0:
     df10273b9fba09f7c5ce627bb5e36ada 10.0/RPMS/liblm_sensors3-2.8.4-2.1.100mdk.i586.rpm
     9d7b0eb57123bd343c332f7fce076397 10.0/RPMS/liblm_sensors3-devel-2.8.4-2.1.100mdk.i586.rpm
     85abe9679e939b093f1bd7d77e7d7e16 10.0/RPMS/liblm_sensors3-static-devel-2.8.4-2.1.100mdk.i586.rpm
     3212cbd6f8123492b47a33c70f28e67c 10.0/RPMS/lm_sensors-2.8.4-2.1.100mdk.i586.rpm
     fcc02a355b53b9e922ddb26cefe0753a 10.0/SRPMS/lm_sensors-2.8.4-2.1.100mdk.src.rpm

     Mandrakelinux 10.0/AMD64:
     ec6a4717784b523a0b3359cda0576765 amd64/10.0/RPMS/lib64lm_sensors3-2.8.4-2.1.100mdk.amd64.rpm
     0a72c0a128cacefe91f1f7cc49e5762f amd64/10.0/RPMS/lib64lm_sensors3-devel-2.8.4-2.1.100mdk.amd64.rpm
     24db3949ab603bfe06066e95fe332673 amd64/10.0/RPMS/lib64lm_sensors3-static-devel-2.8.4-2.1.100mdk.amd64.rpm
     2e514d87df42d4aa351939c4b27e2fe7 amd64/10.0/RPMS/lm_sensors-2.8.4-2.1.100mdk.amd64.rpm
     fcc02a355b53b9e922ddb26cefe0753a amd64/10.0/SRPMS/lm_sensors-2.8.4-2.1.100mdk.src.rpm

     Mandrakelinux 10.1:
     1c851f52f07dd18fd84e4c47102c656f 10.1/RPMS/liblm_sensors3-2.8.7-7.1.101mdk.i586.rpm
     6802ce70ffab988d04579d009b78d8a7 10.1/RPMS/liblm_sensors3-devel-2.8.7-7.1.101mdk.i586.rpm
     6b59df6a1814d9300b9d590a1ab4008f 10.1/RPMS/liblm_sensors3-static-devel-2.8.7-7.1.101mdk.i586.rpm
     4ab2767ada36c3eb47ec7dff9aae28df 10.1/RPMS/lm_sensors-2.8.7-7.1.101mdk.i586.rpm
     e978ae8f29f593dbf3dbb59eda006db1 10.1/SRPMS/lm_sensors-2.8.7-7.1.101mdk.src.rpm

     Mandrakelinux 10.1/X86_64:
     965c42926063cd3abee729f3e3b6b850 x86_64/10.1/RPMS/lib64lm_sensors3-2.8.7-7.1.101mdk.x86_64.rpm
     a470b4f7b984c5e17f579abc10edd49f x86_64/10.1/RPMS/lib64lm_sensors3-devel-2.8.7-7.1.101mdk.x86_64.rpm
     7612338836b497a6bdd3b638120e67ef x86_64/10.1/RPMS/lib64lm_sensors3-static-devel-2.8.7-7.1.101mdk.x86_64.rpm
     1805b24a8c2f2c09b0f19259f3ebcb58 x86_64/10.1/RPMS/lm_sensors-2.8.7-7.1.101mdk.x86_64.rpm
     e978ae8f29f593dbf3dbb59eda006db1 x86_64/10.1/SRPMS/lm_sensors-2.8.7-7.1.101mdk.src.rpm

     Mandrakelinux 10.2:
     bc0221e163fa223e9f7a7e8b101209eb 10.2/RPMS/liblm_sensors3-2.9.0-4.1.102mdk.i586.rpm
     90d172096a15727c0e9f55f8f6459d14 10.2/RPMS/liblm_sensors3-devel-2.9.0-4.1.102mdk.i586.rpm
     92020d0fafe62fc329dfcc3d1d9ed4e6 10.2/RPMS/liblm_sensors3-static-devel-2.9.0-4.1.102mdk.i586.rpm
     7c67db72576b4e623e8c0adf6f3b49aa 10.2/RPMS/lm_sensors-2.9.0-4.1.102mdk.i586.rpm
     bf68836cfdf5be70f4fac4e5f928c3ae 10.2/SRPMS/lm_sensors-2.9.0-4.1.102mdk.src.rpm

     Mandrakelinux 10.2/X86_64:
     0588a52c3be2a4327042f0ef762f2677 x86_64/10.2/RPMS/lib64lm_sensors3-2.9.0-4.1.102mdk.x86_64.rpm
     6f101ef435f161d6d2fd2801ea90ade2 x86_64/10.2/RPMS/lib64lm_sensors3-devel-2.9.0-4.1.102mdk.x86_64.rpm
     b1d4d08c90db9fb7a5c889a88e855529 x86_64/10.2/RPMS/lib64lm_sensors3-static-devel-2.9.0-4.1.102mdk.x86_64.rpm
     6c80fec8081da73a246d02be3b361fd5 x86_64/10.2/RPMS/lm_sensors-2.9.0-4.1.102mdk.x86_64.rpm
     bf68836cfdf5be70f4fac4e5f928c3ae x86_64/10.2/SRPMS/lm_sensors-2.9.0-4.1.102mdk.src.rpm

     Corporate 3.0:
     b992ecee206b158aa13752250f55a239 corporate/3.0/RPMS/liblm_sensors3-2.8.4-2.1.C30mdk.i586.rpm
     1422d8d639631c0d82e7ffdaef8ecfb2 corporate/3.0/RPMS/liblm_sensors3-devel-2.8.4-2.1.C30mdk.i586.rpm
     0c8f7b0c546748c218b6f96c14747b04 corporate/3.0/RPMS/liblm_sensors3-static-devel-2.8.4-2.1.C30mdk.i586.rpm
     900cd7aabecb4af76a1900005f2cc82f corporate/3.0/RPMS/lm_sensors-2.8.4-2.1.C30mdk.i586.rpm
     42537c2b258f5d5c859e89554b18e670 corporate/3.0/SRPMS/lm_sensors-2.8.4-2.1.C30mdk.src.rpm

     Corporate 3.0/X86_64:
     5f2ba067df2ffcea7460ecbbed5b9406 x86_64/corporate/3.0/RPMS/lib64lm_sensors3-2.8.4-2.1.C30mdk.x86_64.rpm
     532c570adec5fddf0bc1de218f281113 x86_64/corporate/3.0/RPMS/lib64lm_sensors3-devel-2.8.4-2.1.C30mdk.x86_64.rpm
     6ea29988cd83558f4acea49cc3eaa34f x86_64/corporate/3.0/RPMS/lib64lm_sensors3-static-devel-2.8.4-2.1.C30mdk.x86_64.rpm
     7a8e60e83b80043606b839119d43d26b x86_64/corporate/3.0/RPMS/lm_sensors-2.8.4-2.1.C30mdk.x86_64.rpm
     42537c2b258f5d5c859e89554b18e670 x86_64/corporate/3.0/SRPMS/lm_sensors-2.8.4-2.1.C30mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandriva for security. You can obtain the
     GPG public key of the Mandriva Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandriva Linux at:

      http://www.mandriva.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_(at)_mandriva.com
     _______________________________________________________________________

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Mandriva Security Team
      <security*mandriva.com>

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFDDkmlmqjQ0CJFipgRAtgkAKCAM8a41udjZdz8A9aR4LjlFWjpaACfQ6dp
    KcIzx0iSnhhIpW4nRbVczuY=
    =TYCh
    -----END PGP SIGNATURE-----


  • Next message: Dave Hull: "Re: Tool for Identifying Rogue Linksys Routers"

    Relevant Pages