- - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-14
- - ---------------------------------------------------------------------
PACKAGE : mysql
SUMMARY : remote root exploit
DATE : 2003-03-18 18:12 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <3.23.56
FIXED VERSION : >=3.23.56
CVE :
- - ---------------------------------------------------------------------
"This issue has been adressed in 3.23.56 (release build is started
today), and some steps were taken to alleviate the threat.
In particular, MySQL will no longer read config files that are
world-writeable (and SELECT ... OUTFILE always creates world-writeable
files). Also, unlike other options, for --user option the first one will
have the precedence. So if --user is set in /etc/my.cnf (as it is
recommended in the manual), datadir/my.cnf will not be able to override
it."
quote from:
http://marc.theaimsgroup.com/?l=bugtraq&m=104739810523433&w=2
SOLUTION
It is recommended that all Gentoo Linux users who are running
dev-db/mysql upgrade to mysql-3.23.56 as follows:
emerge sync
emerge mysql
emerge clean
- - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - ---------------------------------------------------------------------
- - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-13
- - ---------------------------------------------------------------------
PACKAGE : man
SUMMARY : arbitrary code execution
DATE : 2003-03-18 18:03 UTC
EXPLOIT : local
VERSIONS AFFECTED : <1.5l
FIXED VERSION : >=1.5l
CVE : CAN-2003-0124
- - ---------------------------------------------------------------------
- From advisory:
"man 1.5l was released today, fixing a bug which results in arbitrary code
execution upon reading a specially formatted man file. The basic problem
is, upon finding a string with a quoting problem, the function my_xsprintf
in util.c will return "unsafe" (rather than returning a string which could
be interpreted by the shell). This return value is passed directly to
system(3) - meaning if there is any program named `unsafe`, it will execute
with the privs of the user."
Read the full advisory at:
http://marc.theaimsgroup.com/?l=bugtraq&m=104740927915154&w=2
SOLUTION
It is recommended that all Gentoo Linux users who are running
sys-apps/man upgrade to man-1.5l as follows:
emerge sync
emerge man
emerge clean
- - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - ---------------------------------------------------------------------
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.