Mandrake Linux Security Update Advisory
Package name: | cdrecord |
Advisory ID: | MDKSA-2003:058-1 |
Date: | May 21st, 2003 |
Original Advisory Date: | May 15th, 2003 |
Affected versions: | 8.2, 9.0, 9.1, Corporate Server 2.1 |
Problem Description:
A vulnerability in cdrecord was discovered that can be used to
obtain root access because Mandrake Linux ships with the cdrecord
binary suid root and sgid cdwriter.
Updated packages are provided that fix this vulnerability. You
may also elect to remove the suid and sgid bits from cdrecord
manually, which can be done by executing, as root:
chmod ug-s /usr/bin/cdrecord
This is not required to protect yourself from this particular
vulnerability, however.
Update:
Two additional format string problems were discovered by Olaf
Kirch and an updated patch has been applied to fix those problems
as well.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0289
http://marc.theaimsgroup.com/?l=bugtraq&m=105285564307225&w=2
Updated Packages:
Corporate Server 2.1:
f296323910c23fe0f40be0ce53eb963c | corporate/2.1/RPMS/cdrecord-1.11-0.a32.3mdk.i586.rpm |
e870a3fe022385e995b6d436c5a1713e | corporate/2.1/RPMS/cdrecord-cdda2wav-1.11-0.a32.3mdk.i586.rpm |
4966b5670dc2977996e196be5ab00329 | corporate/2.1/RPMS/cdrecord-devel-1.11-0.a32.3mdk.i586.rpm |
ffa8d1f399c7771748edeb36f390c682 | corporate/2.1/RPMS/cdrecord-dvdhack-1.11-0.a32.3mdk.i586.rpm |
fa42f85ee28f55d99d17c3808886bc3f | corporate/2.1/RPMS/mkisofs-1.15-0.a32.3mdk.i586.rpm |
5078a46689aeb16bcc185903681927f0 | corporate/2.1/SRPMS/cdrecord-1.11-0.a32.3mdk.src.rpm |
Mandrake Linux 8.2:
48c0c79d45ef787acda9da76423fd779 | 8.2/RPMS/cdrecord-1.11-0.a31.1.3mdk.i586.rpm |
b1bae2de92a9eac1d580f3d6fef27cd5 | 8.2/RPMS/cdrecord-cdda2wav-1.11-0.a31.1.3mdk.i586.rpm |
fa925a3b9864cbd070881ac3963ee61f | 8.2/RPMS/cdrecord-devel-1.11-0.a31.1.3mdk.i586.rpm |
93e8043fbf49044ac193281664a35026 | 8.2/RPMS/cdrecord-dvdhack-1.11-0.a31.1.3mdk.i586.rpm |
dbc1bb8a04186f6e103f02a8c57ffb47 | 8.2/RPMS/mkisofs-1.15-0.a31.1.3mdk.i586.rpm |
86d2d8d768c26ba1e5b0d43db70acb7c | 8.2/SRPMS/cdrecord-1.11-0.a31.1.3mdk.src.rpm |
Mandrake Linux 8.2/PPC:
04d13628426c0cc8722f272a362def9b | ppc/8.2/RPMS/cdrecord-1.11-0.a31.1.3mdk.ppc.rpm |
7a8b5a02de46ad32202709454a21c655 | ppc/8.2/RPMS/cdrecord-cdda2wav-1.11-0.a31.1.3mdk.ppc.rpm |
c88757d2aa04630d13cfb957a818762a | ppc/8.2/RPMS/cdrecord-devel-1.11-0.a31.1.3mdk.ppc.rpm |
8b6654b249cb78380140343e7ea709ea | ppc/8.2/RPMS/cdrecord-dvdhack-1.11-0.a31.1.3mdk.ppc.rpm |
40b7ee4b6502138d54273071e2982038 | ppc/8.2/RPMS/mkisofs-1.15-0.a31.1.3mdk.ppc.rpm |
86d2d8d768c26ba1e5b0d43db70acb7c | ppc/8.2/SRPMS/cdrecord-1.11-0.a31.1.3mdk.src.rpm |
Mandrake Linux 9.0:
f296323910c23fe0f40be0ce53eb963c | 9.0/RPMS/cdrecord-1.11-0.a32.3mdk.i586.rpm |
e870a3fe022385e995b6d436c5a1713e | 9.0/RPMS/cdrecord-cdda2wav-1.11-0.a32.3mdk.i586.rpm |
4966b5670dc2977996e196be5ab00329 | 9.0/RPMS/cdrecord-devel-1.11-0.a32.3mdk.i586.rpm |
ffa8d1f399c7771748edeb36f390c682 | 9.0/RPMS/cdrecord-dvdhack-1.11-0.a32.3mdk.i586.rpm |
fa42f85ee28f55d99d17c3808886bc3f | 9.0/RPMS/mkisofs-1.15-0.a32.3mdk.i586.rpm |
5078a46689aeb16bcc185903681927f0 | 9.0/SRPMS/cdrecord-1.11-0.a32.3mdk.src.rpm |
Mandrake Linux 9.1:
506c10d8500d78e4d29917074001e9fd | 9.1/RPMS/cdrecord-2.0-2.2mdk.i586.rpm |
88c0ba0b73c4a7db85133b66f79a8f26 | 9.1/RPMS/cdrecord-cdda2wav-2.0-2.2mdk.i586.rpm |
87514f58a2aa85c17d3c2a39e69ed119 | 9.1/RPMS/cdrecord-devel-2.0-2.2mdk.i586.rpm |
11a51c7a6dc6c59857f9b64c7250b1c0 | 9.1/RPMS/cdrecord-dvdhack-2.0-2.2mdk.i586.rpm |
ed4a310f8c75c24149582847a13cfe46 | 9.1/RPMS/mkisofs-2.0-2.2mdk.i586.rpm |
f721cfcbf031354385bb6045ef67e562 | 9.1/SRPMS/cdrecord-2.0-2.2mdk.src.rpm |
Mandrake Linux 9.1/PPC:
1520ee1807ded7199687d1d467c94851 | ppc/9.1/RPMS/cdrecord-2.0-2.2mdk.ppc.rpm |
13129e25984389ce7a200367d8c7441c | ppc/9.1/RPMS/cdrecord-cdda2wav-2.0-2.2mdk.ppc.rpm |
7b23906998ae56dbe5e0d968fb53d277 | ppc/9.1/RPMS/cdrecord-devel-2.0-2.2mdk.ppc.rpm |
4d00350a2f4c541c178e7ea0eb5b8c8d | ppc/9.1/RPMS/cdrecord-dvdhack-2.0-2.2mdk.ppc.rpm |
a6dbf67b3d253c219a4644b114f39d8f | ppc/9.1/RPMS/mkisofs-2.0-2.2mdk.ppc.rpm |
f721cfcbf031354385bb6045ef67e562 | ppc/9.1/SRPMS/cdrecord-2.0-2.2mdk.src.rpm |
Bug IDs fixed (see https://qa.mandrakesoft.com for
more information):
To upgrade automatically, use MandrakeUpdate. The verification
of md5 checksums and GPG signatures is performed automatically for
you.
If you want to upgrade manually, download the updated package
from one of our FTP server mirrors and upgrade with “rpm -Fvh
*.rpm”. A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
Please verify the update prior to upgrading to ensure the
integrity of the downloaded package. You can do this with the
command:
rpm –checksig <filename>
All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team
from:
https://www.mandrakesecure.net/RPM-GPG-KEYS
Please be aware that sometimes it takes the mirrors a few hours
to update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type | Bits/KeyID | Date | User ID |
pub | 1024D/22458A98 | 2000-07-10 | Linux Mandrake Security Team |
<security linux-mandrake.com>
Mandrake Linux Security Update Advisory
Package name: | lpr |
Advisory ID: | MDKSA-2003:059 |
Date: | May 21st, 2003 |
Affected versions: | 8.2 |
Problem Description:
A buffer overflow was discovered in the lpr printer spooling
system that can be exploited by a local user to gain root
privileges. This can be done even if the printer is configured
properly.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0144
Updated Packages:
Mandrake Linux 8.2:
7ed39a748d4c48ce9839299ee24a5e04 | 8.2/RPMS/lpr-0.72-3.1mdk.i586.rpm |
bfff98bc4036f8c2c813707ade3bc041 | 8.2/SRPMS/lpr-0.72-3.1mdk.src.rpm |
Mandrake Linux 8.2/PPC:
fa5bbf033a6fc4c2dca26771f2db9ef2 | ppc/8.2/RPMS/lpr-0.72-3.1mdk.ppc.rpm |
bfff98bc4036f8c2c813707ade3bc041 | ppc/8.2/SRPMS/lpr-0.72-3.1mdk.src.rpm |
Bug IDs fixed (see https://qa.mandrakesoft.com for
more information):
To upgrade automatically, use MandrakeUpdate. The verification
of md5 checksums and GPG signatures is performed automatically for
you.
If you want to upgrade manually, download the updated package
from one of our FTP server mirrors and upgrade with “rpm -Fvh
*.rpm”. A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
Please verify the update prior to upgrading to ensure the
integrity of the downloaded package. You can do this with the
command:
rpm –checksig <filename>
All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team
from:
https://www.mandrakesecure.net/RPM-GPG-KEYS
Please be aware that sometimes it takes the mirrors a few hours
to update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type | Bits/KeyID | Date | User ID |
pub | 1024D/22458A98 | 2000-07-10 | Linux Mandrake Security Team |
<security linux-mandrake.com>