Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Gentoo Secure Linux Advisories: sharutils, pam_ldap

Oct 31, 2002, 00:40 (0 Talkback[s])

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200210-012
- - --------------------------------------------------------------------

PACKAGE : sharutils
SUMMARY : inadequate checks on user-specified output files
DATE    : 2002-10-30 14:10 UTC
EXPLOIT : local

- - --------------------------------------------------------------------

The uudecode utility would create an output file without checking
to see if it was about to write to a symlink or a pipe. If a
user uses uudecode to extract data into open shared directories,
such as /tmp, this vulnerability could be used by a local attacker
to overwrite files or lead to privilege escalation.

Read the full advisory at
http://www.kb.cert.org/vuls/id/336083

SOLUTION

It is recommended that all Gentoo Linux users who are running
sys-apps/sharutils-4.2.1-r5 and earlier update their systems as follows:

emerge rsync
emerge sharutils
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200210-013
- - --------------------------------------------------------------------

PACKAGE : pam_ldap
SUMMARY : format string attack
DATE    : 2002-10-30 22:10 UTC
EXPLOIT : local

- - --------------------------------------------------------------------

Versions 143 and earlier of the pam_ldap module are vulnerable to a 
format string attack. A local attacker could supply a malicious 
format string when opening a configuration file, which could allow 
the attacker to execute arbitrary code on the system with elevated 
privileges.

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-libs/pam_ldap-134-r1 and earlier update their systems as follows:

emerge rsync
emerge pam_ldap
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------