Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Trustix Secure Linux Advisory: util-linux

Jul 30, 2002, 21:54 (0 Talkback[s])

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0064

Package name:      util-linux
Summary:           local problem
Date:              2002-07-30
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------

Problem description:
  The chfn feature of the util-linux package shipped with all versions
  of TSL suffers from a locally exploitable file locking problem.

  With some interference from the system administrator a attacker could
  gain escalated privilegies.

  As a result of upgrading the some what old TSL 1.1 release, the bash 
  packages for TSL 1.1 are also updated.

  The Common Vulnerabilities and Exposures project (cve.mitre.org/) has
  assigned the name CAN-2002-0638 to this issue.


Action:
  We recommend that all systems with this package installed are upgraded.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>;
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>;


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>;

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/>; and
  <URI:http://www.trustix.net/errata/trustix-1.5/>;
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0064-util-linux.asc.txt>;


MD5sums of the packages:
- --------------------------------------------------------------------------
bc36648127dc1ea5fc9d6dc80506b5a9  ./1.5/SRPMS/util-linux-2.11f-7tr.src.rpm
b4b7b0e7bb7ceea67ffe3c3e3e036a34  ./1.5/RPMS/util-linux-2.11f-7tr.i586.rpm
04369204aa84be55fd1d8f49debd0303  ./1.5/RPMS/mount-2.11f-7tr.i586.rpm
4c1805a7db97253e6f10dc8619539bdd  ./1.5/RPMS/losetup-2.11f-7tr.i586.rpm
bc36648127dc1ea5fc9d6dc80506b5a9  ./1.2/SRPMS/util-linux-2.11f-7tr.src.rpm
4899c74f0729313bf4ffb36134b7e97d  ./1.2/RPMS/util-linux-2.11f-7tr.i586.rpm
41c030349b57ce43fc78a857dab06fda  ./1.2/RPMS/mount-2.11f-7tr.i586.rpm
68c2d6e60a4c6f9beb11a7168179243d  ./1.2/RPMS/losetup-2.11f-7tr.i586.rpm
bc36648127dc1ea5fc9d6dc80506b5a9  ./1.1/SRPMS/util-linux-2.11f-7tr.src.rpm
5983543f12f5eafcb08e057c7f06d296  ./1.1/RPMS/util-linux-2.11f-7tr.i586.rpm
1885bec83a157c8f1053a47abd12937a  ./1.1/RPMS/mount-2.11f-7tr.i586.rpm
56e7648d0acff52cd90bbc0ca39796aa  ./1.1/RPMS/losetup-2.11f-7tr.i586.rpm
8f1f2c235fdf639162d4887fc012c473  ./1.1/SRPMS/bash-2.03-11tr.src.rpm
090ef872b22505d8d97e1aa641d6724b  ./1.1/RPMS/bash-doc-2.03-11tr.i586.rpm
9d47b28a76c756c156e0678c93fef773  ./1.1/RPMS/bash-2.03-11tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team