Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


SOT Linux Advisory: mc

Apr 12, 2004, 21:14 (0 Talkback[s])

SOT Linux Security Advisory

Subject: Updated mc package for SOT Linux 2003
Advisory ID: SLSA-2004:16
Date: Monday, April 12, 2004
Product: SOT Linux 2003


1. Problem description

According to a message from Ilya Teterin posted on Bugtraq, the Midnight Commander application uses a uninitialized buffer to handle symlinks in VFS. This allows attackers to execute arbitrary code during symlink conversion. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-1023 to the problem.

Users of MC should update to these erratum packages which are not vulnerable to this issue.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/mc-4.5.54-8.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/mcserv-4.5.54-8.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/mc-4.5.54-8.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/mc-4.5.54-8.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/mcserv-4.5.54-8.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/mc-4.5.54-8.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Desktop/i386/mc-4.5.54-8.i386.rpm 77fd4419887d87e2fef573d566461b94
/Desktop/i386/mcserv-4.5.54-8.i386.rpm a85f39f9ff19e43d557f2fd52a4a5edb
/Desktop/SRPMS/mc-4.5.54-8.src.rpm 3a99183b3c4204822f8fd2c432aa1e31
/Server/i386/mc-4.5.54-8.i386.rpm 77fd4419887d87e2fef573d566461b94
/Server/i386/mcserv-4.5.54-8.i386.rpm a85f39f9ff19e43d557f2fd52a4a5edb
/Server/SRPMS/mc-4.5.54-8.src.rpm 3a99183b3c4204822f8fd2c432aa1e31

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023
http://marc.theaimsgroup.com/?l=bugtraq&m=106399528518704

Copyright(c) 2001-2003 SOT