SuSE Security Announcement: gnorpm
Oct 16, 2000, 19:17 (0 Talkback[s])
(Other stories by Roman Drahtmueller)
Date: Mon, 16 Oct 2000 16:00:09 +0200 (MEST)
From: Roman Drahtmueller firstname.lastname@example.org
Subject: [suse-security-announce] SuSE Security Announcement:
SuSE Security Announcement
Date: Monday, October 16th, 2000 15:45 MEST
Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
Vulnerability Type: tmp race / local file overwrite
Severity (1-10): 4
SuSE default package: no
Other affected systems: Systems using gnorpm
Content of this advisory:
1) security vulnerability resolved: gnorpm
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade
gnorpm is a graphical user interface to the rpm subsystem for
the gnome desktop.
Insecure temporary file handling may cause the gnorpm package to
overwrite arbitrary files on the system. As a workaround solution
it is recommended to make sure that no active user processes on the
system while performing software updates with gnorpm. This can be
accomplished by bringing the linux system down to runlevel 1
(multi-user without network) and starting the network by hand
(rci4l_hardware start; rci4l start;rcnetwork start; rcroute
SuSE provides update packages for the vulnerable gnorpm package.
However, tests have revealed that the new gnorpm version from Alan
Cox does not work reliably with the rpm subsystem in older SuSE
distributions. Adding patches to these gnorpm versions has proven
to not increase the reliability of the package either. For this
reason we do not provide update packages for the SuSE distributions
prior to (and including) SuSE-6.3. Please update your system to a
more recent base installation (SuSE-7.0 recommended) or use the
workaround as described above if you need to use gnorpm in a multi
user and possibly hostile environment.
Download the update package from locations desribed below and
install the package with the command `rpm -Fhv file.rpm'. The
md5sum for each file is in the line below. You can verify the
integrity of the rpm files using the command
`rpm --checksig --nogpg file.rpm',
independently from the md5 signatures below.
i386 Intel Platform:
AXP Alpha Platform:
PPC Power PC Platform:
2) Pending vulnerabilities in SuSE Distributions and
A set of security announcements is following this advisory.
3) standard appendix:
SuSE runs two security mailing lists to which any interested
party may subscribe:
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list. To
subscribe, send an email to email@example.com.
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list. To
subscribe, send an email to firstname.lastname@example.org.
For general information or the frequently asked questions (faq)
send mail to:
SuSE's security contact is email@example.com.
- - --
| Roman Drahtmüller firstname.lastname@example.org // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |