Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


SOT Linux Advisory: slocate

Jan 30, 2003, 23:53 (0 Talkback[s])

[ Thanks to SOT Linux Security Team for this link. ]

---------------------------------------------------------------------
                   SOT Linux Security Advisory

Subject:           Updated slocate package for SOT Linux 2002
Advisory ID:       SLSA-2003:8
Date:              Thursday, January 30, 2003
Product:           SOT Linux 2002
---------------------------------------------------------------------

1. Problem description

Slocate is a security-enhanced version of locate. Just like locate,
slocate searches through a central database (which is updated nightly)
for files which match a given pattern. Slocate allows you to quickly
find files anywhere on your system.

A local buffer overflow was found in the slocate-2.6 package
shipped with SOT Linux 2002.

The overflow appears when the slocate is  runned with two parameters: -c and -r,
using as arguments a 1024.

According to this issues slocate package was updated to version 2.7.
SOT Linux 2002 users are advised to update.


2. Updated packages

SOT Linux 2002 Desktop:

i386:
ftp://ftp.sot.com/updates/2002/Desktop/i386/slocate-2.7-3.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2002/Desktop/SRPMS/slocate-2.7-3.src.rpm
SOT Linux 2002 Server:

i386:
ftp://ftp.sot.com/updates/2002/Server/i386/slocate-2.7-3.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2002/Server/SRPMS/slocate-2.7-3.src.rpm


3. Upgrading package

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from
the SOT Linux FTP site (use the links above) or from one of our mirrors.
The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command:
rpm -Uvh 


4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command:
rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run
"md5sum <filename>" and compare the output with data given below.

Package Name                         MD5 sum
---------------------------------------------------------------------
/Desktop/i386/slocate-2.7-3.i386.rpm   539b7435d49870542661de9d7bd319a2
/Desktop/SRPMS/slocate-2.7-3.src.rpm   8d5c4f11cc9e27f7d09d610eb0799478
/Server/i386/slocate-2.7-3.i386.rpm    539b7435d49870542661de9d7bd319a2
/Server/SRPMS/slocate-2.7-3.src.rpm    8d5c4f11cc9e27f7d09d610eb0799478


5. References

http://www.usg.org.uk/advisories/2003.001.txt
http://www.geekreview.org/slocate/


Copyright(c) 2001, 2002 SOT