[ MDVSA-2009:345 ] acl




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:345
http://www.mandriva.com/security/
_______________________________________________________________________

Package : acl
Date : December 28, 2009
Affected: 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

A vulnerability was discovered and corrected in acl:

The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
running in recursive (-R) mode, follow symbolic links even when the
--physical (aka -P) or -L option is specified, which might allow
local users to modify the ACL for arbitrary files or directories via
a symlink attack (CVE-2009-4411).

This update provides a fix for this vulnerability.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2009.0:
85085eb1f2e217ac6db6819f36e590db 2009.0/i586/acl-2.2.47-4.2mdv2009.0.i586.rpm
d6850e7ee04d6e5d6c1e006148807f9a 2009.0/i586/libacl1-2.2.47-4.2mdv2009.0.i586.rpm
35ecb78e1345620c6640cbac8aca7cd0 2009.0/i586/libacl-devel-2.2.47-4.2mdv2009.0.i586.rpm
2f3de3fef6add27f07d7536603daf96f 2009.0/SRPMS/acl-2.2.47-4.2mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
44d4d3cffbdf3088681ba8eac294f405 2009.0/x86_64/acl-2.2.47-4.2mdv2009.0.x86_64.rpm
8b0918e159b2da664a762dab891bd322 2009.0/x86_64/lib64acl1-2.2.47-4.2mdv2009.0.x86_64.rpm
b984bbb26adc1f73d7ee010e351a5f6d 2009.0/x86_64/lib64acl-devel-2.2.47-4.2mdv2009.0.x86_64.rpm
2f3de3fef6add27f07d7536603daf96f 2009.0/SRPMS/acl-2.2.47-4.2mdv2009.0.src.rpm

Mandriva Linux 2009.1:
c3a02ac328bc96547b9157f68977c173 2009.1/i586/acl-2.2.47-5.1mdv2009.1.i586.rpm
674911bdf647ee4d30149bd32e417bb7 2009.1/i586/libacl1-2.2.47-5.1mdv2009.1.i586.rpm
62a1f6e00abd0da7174771b8d012a85b 2009.1/i586/libacl-devel-2.2.47-5.1mdv2009.1.i586.rpm
f05c4e59f1772c729fafaac0294d57bc 2009.1/SRPMS/acl-2.2.47-5.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
d7c7d4ad8c86b129097ab77d47b02d9e 2009.1/x86_64/acl-2.2.47-5.1mdv2009.1.x86_64.rpm
849241d3c01fe1854e5553af5bb22b4c 2009.1/x86_64/lib64acl1-2.2.47-5.1mdv2009.1.x86_64.rpm
0ca12919b3f2110c4be3c260fcfa8321 2009.1/x86_64/lib64acl-devel-2.2.47-5.1mdv2009.1.x86_64.rpm
f05c4e59f1772c729fafaac0294d57bc 2009.1/SRPMS/acl-2.2.47-5.1mdv2009.1.src.rpm

Mandriva Linux 2010.0:
c47933ef2dc3d89ebe614471b8ecb861 2010.0/i586/acl-2.2.48-1.1mdv2010.0.i586.rpm
45f7cc7ce0afcce08a0b0e02c2d76973 2010.0/i586/libacl1-2.2.48-1.1mdv2010.0.i586.rpm
d533e59fb185f5674944387aede52d4b 2010.0/i586/libacl-devel-2.2.48-1.1mdv2010.0.i586.rpm
f17057a31d8f7f6f441dbc7ead634776 2010.0/SRPMS/acl-2.2.48-1.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
71744500b8e325e09062acd221cad582 2010.0/x86_64/acl-2.2.48-1.1mdv2010.0.x86_64.rpm
bf7c769383b9cc736aa565261be57a33 2010.0/x86_64/lib64acl1-2.2.48-1.1mdv2010.0.x86_64.rpm
7f8a8db6720f0c8f18b0e5b22269929a 2010.0/x86_64/lib64acl-devel-2.2.48-1.1mdv2010.0.x86_64.rpm
f17057a31d8f7f6f441dbc7ead634776 2010.0/SRPMS/acl-2.2.48-1.1mdv2010.0.src.rpm

Mandriva Enterprise Server 5:
78ed39a64acd0186365f86d484c01edd mes5/i586/acl-2.2.47-4.2mdvmes5.i586.rpm
5c6079223bbd9797175934347c3fc3bb mes5/i586/libacl1-2.2.47-4.2mdvmes5.i586.rpm
a67beea2c129051e33bfa2ef2342c9ac mes5/i586/libacl-devel-2.2.47-4.2mdvmes5.i586.rpm
bbda0bedef0d52edb98a93ad62f256c2 mes5/SRPMS/acl-2.2.47-4.2mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
802538312a3c3ef0cf70411feaaf9f38 mes5/x86_64/acl-2.2.47-4.2mdvmes5.x86_64.rpm
5f48b77cb6c0fd2e4ae442b6e10f923e mes5/x86_64/lib64acl1-2.2.47-4.2mdvmes5.x86_64.rpm
5042eb91ee69f76c34e4c340890e2e32 mes5/x86_64/lib64acl-devel-2.2.47-4.2mdvmes5.x86_64.rpm
bbda0bedef0d52edb98a93ad62f256c2 mes5/SRPMS/acl-2.2.47-4.2mdvmes5.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLOSDdmqjQ0CJFipgRAvXNAKDip6+gvkNWkz6Fj1ed6cvEBGZRdgCfROOL
a3Es+T2rqHu6X3xp7bcEIig=
=SaC5
-----END PGP SIGNATURE-----



Relevant Pages

  • [Full-disclosure] [ MDVSA-2010:073-1 ] cups
    ... Use-after-free vulnerability in the abstract file-descriptor handling ... scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers ... The updated packages have been patched to correct these issues. ... Packages for Mandriva Linux 2010.0 was missing with ...
    (Full-Disclosure)
  • [Full-disclosure] [ MDVSA-2010:084 ] java-1.6.0-openjdk
    ... Multiple Java OpenJDK security vulnerabilities has been identified ... CMM readMabCurveData Buffer Overflow Vulnerability. ... Packages for 2009.0 are provided due to the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2010:084 ] java-1.6.0-openjdk
    ... Multiple Java OpenJDK security vulnerabilities has been identified ... CMM readMabCurveData Buffer Overflow Vulnerability. ... Packages for 2009.0 are provided due to the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ...
    (Bugtraq)
  • [ MDVSA-2010:073-1 ] cups
    ... Use-after-free vulnerability in the abstract file-descriptor handling ... scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers ... The updated packages have been patched to correct these issues. ... Packages for Mandriva Linux 2010.0 was missing with ...
    (Bugtraq)
  • [Full-disclosure] [ MDKSA-2007:079-1 ] - Updated xorg-x11/XFree86 packages fix i
    ... Local exploitation of a memory corruption vulnerability in the X.Org ... Updated packages are patched to address these issues. ... Packages for Mandriva Linux 2007.1 are now available. ...
    (Full-Disclosure)