Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Blog -  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Preferences
Contribute
Link to Us
Search
Linux Jobs

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Technology Jobs

JustTechJobs.com

LinuxToday Newsletters
Server Daily
IT Management Daily
Subscribe News
Subscribe PR
Subscribe Security

internet.com
Internet News
Small Business

Advertise
Newsletters
Tech Jobs
E-mail Offers

 






Current Newswire:

Webopedia Term of the Day: What is Macbuntu

Virtualization With Xen On CentOS 6.2 (x86_64)

4 Best Free Linux Script Writing Tools

Linux File System Fsck Testing -- The Results Are In

Firefox 11 Gets SPDY

Piracy and the value of freedom

TLWIR 32: Open Sparks Fly, FOSS Players Give Open Advice, and FOSS Petition Gets Key Endorsement

Beware the power of Google?

Google Summer of Code 2012 Kicks Off

How to get started using awk



Applications Management Engineer Sr (NYC)
Next Step Systems
US-NY-New York

Justtechjobs.com Post A Job | Post A Resume
:Gentoo Linux Advisories: acroread, Tomcat
Gentoo Linux Advisories: acroread, Tomcat
Aug 17, 2004, 15 :14 UTC (0 Talkback[s]) (2761 reads)


Gentoo Linux Security Advisory GLSA 200408-14

http://security.gentoo.org/


Severity: Normal
Title: acroread: UUDecode filename buffer overflow
Date: August 15, 2004
Bugs: #60205
ID: 200408-14


Synopsis

acroread contains two errors in the handling of UUEncoded filenames that may lead to execution of arbitrary code or programs.

Background

acroread is Adobe's Acrobat PDF reader for Linux.

Affected packages

PackageVulnerableUnaffected
1 app-text/acroread<= 5.08>= 5.09

Description

acroread contains two errors in the handling of UUEncoded filenames. First, it fails to check the length of a filename before copying it into a fixed size buffer and, secondly, it fails to check for the backtick shell metacharacter in the filename before executing a command with a shell.

Impact

By enticing a user to open a PDF with a specially crafted filename, an attacker could execute arbitrary code or programs with the permissions of the user running acroread.

Workaround

There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of acroread.

Resolution

All acroread users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=app-text/acroread-5.09"
    # emerge ">=app-text/acroread-5.09"

References

[ 1 ] iDEFENSE Advisory 125

http://idefense.com/application/poi/display?id=125&type=vulnerabilities

[ 2 ] iDEFENSE Advisory 126

http://idefense.com/application/poi/display?id=126&type=vulnerabilities

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200408-14.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0


Gentoo Linux Security Advisory GLSA 200408-15

http://security.gentoo.org/


Severity: Normal
Title: Tomcat: Insecure Installation
Date: August 15, 2004
Bugs: #59232
ID: 200408-15


Synopsis

Improper file ownership may allow a member of the tomcat group to execute scripts as root.

Background

Tomcat is the Apache Jakarta Project's official implementation of Java Servlets and Java Server Pages.

Affected packages

PackageVulnerableUnaffected
1 net-www/tomcat< 5.0.27-r3>= 5.0.27-r3
*>= 4.1.30-r4
*>= 3.3.2-r2

Description

The Gentoo ebuild for Tomcat sets the ownership of the Tomcat init scripts as tomcat:tomcat, but those scripts are executed with root privileges when the system is started. This may allow a member of the tomcat group to run arbitrary code with root privileges when the Tomcat init scripts are run.

Impact

This could lead to a local privilege escalation or root compromise by authenticated users.

Workaround

Users may change the ownership of /etc/init.d/tomcat* and /etc/conf.d/tomcat* to be root:root:

# chown -R root:root /etc/init.d/tomcat* # chown -R root:root /etc/conf.d/tomcat*

Resolution

All Tomcat users can upgrade to the latest stable version, or simply apply the workaround:

    # emerge sync
    # emerge -pv ">=net-www/tomcat-5.0.27-r3"
    # emerge ">=net-www/tomcat-5.0.27-r3"

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200408-15.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0



No talkbacks posted.
  Home | Search Talkbacks | Customize View    Top of Page  



Enter your comments below:

* Your Name:

* Your Email Address:

* Subject:

CC: [will also send this talkback to an E-Mail address]

* Comments:

Tags allowed:<I>,<B> and <U>. See our talkback-policy for more about talkback content.

Fields marked with * are required!

..............................




All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux, Apache and PHP