Fedora Update Notification
FEDORA-2004-059
2004-01-26
| Name | : | slocate |
| Version | : | 2.7 |
| Release | : | 4 |
| Summary | : | Finds files on a system via a central database. |
Description :
Slocate is a security-enhanced version of locate. Just like locate,
slocate searches through a central database (which is updated
nightly) for files which match a given pattern. Slocate allows you
to quickly find files anywhere on your system.
Update Information:
Patrik Hornik discovered a vulnerability in Slocate versions up
to and including 2.7 where a carefully crafted database could
overflow a heap-based buffer. A local user could exploit this
vulnerability to gain “slocate” group privileges and then read the
entire slocate database. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2003-0848 to this issue.
Users of Slocate should upgrade to these packages which contain
a patch from Kevin Lindsay which causes slocate to drop privileges
before reading a user-supplied database.
* Wed Jan 21 2004 Mark Cox <mjc@redhat.com>
- drop privs for non slocate gid databases (CAN-2003-0848)
- update to 2.7
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
01bf7fd37e5eeb0f4ec4bdc09a4f236e SRPMS/slocate-2.7-4.src.rpm
ecec8659907bbbe65297b634d930b9ae i386/slocate-2.7-4.i386.rpm
33661442e2657b361a64acac29e0cea8
i386/debug/slocate-debuginfo-2.7-4.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.