______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: xfsdump Advisory ID: MDKSA-2003:047 Date: April 16th, 2003 Affected versions: 8.2, 9.0, 9.1, Corporate Server 2.1 ______________________________________________________________________ Problem Description: A vulnerability was discovered in xfsdump by Ethan Benson related to filesystem quotas on the XFS filesystem. When xfsdump runs xfsdq to save the quota information into a file at the root of the filesystem being dumped, the file is created in an unsafe manner. A new option to xfsdq was added when fixing this vulnerability: '-f path'. This specifies an output file to use instead of the default output stream. If the file exists already, xfsdq will abort and if the file doesn't already exist, it will be created with more appropriate access permissions. ______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0173 ______________________________________________________________________ Updated Packages: Corporate Server 2.1: b97c19f2073ca9a620f2f8820aba28f6 corporate/2.1/RPMS/xfsdump-2.0.3-1.1mdk.i586.rpm da0d22ec03d3d6f7b35f2e36c8b1f0e2 corporate/2.1/SRPMS/xfsdump-2.0.3-1.1mdk.src.rpm Mandrake Linux 8.2: 73e9c500cd5bbec4f145727725c5c789 8.2/RPMS/xfsdump-2.0.0-2.1mdk.i586.rpm 5ee2db1da3118a3c70c9f7174ca0e552 8.2/SRPMS/xfsdump-2.0.0-2.1mdk.src.rpm Mandrake Linux 8.2/PPC: 499c9f059274ecad092fdcff10dab1db ppc/8.2/RPMS/xfsdump-2.0.0-2.1mdk.ppc.rpm 5ee2db1da3118a3c70c9f7174ca0e552 ppc/8.2/SRPMS/xfsdump-2.0.0-2.1mdk.src.rpm Mandrake Linux 9.0: b97c19f2073ca9a620f2f8820aba28f6 9.0/RPMS/xfsdump-2.0.3-1.1mdk.i586.rpm da0d22ec03d3d6f7b35f2e36c8b1f0e2 9.0/SRPMS/xfsdump-2.0.3-1.1mdk.src.rpm Mandrake Linux 9.1: f125c26a70fff7b65be5ba7ebefbc8fb 9.1/RPMS/libdm0-2.0.5-1.2mdk.i586.rpm 752075a8a8489ee1961fb107ea9e2b25 9.1/RPMS/libdm0-devel-2.0.5-1.2mdk.i586.rpm 6a0820484e07e3f002758d76e59ace68 9.1/RPMS/xfsdump-2.0.3-1.1mdk.i586.rpm b2e1d875fc760138b77cb15716724a49 9.1/SRPMS/dmapi-2.0.5-1.2mdk.src.rpm da0d22ec03d3d6f7b35f2e36c8b1f0e2 9.1/SRPMS/xfsdump-2.0.3-1.1mdk.src.rpm Mandrake Linux 9.1/PPC: dd663695c076b47cd234bfa5a82d6b6e ppc/9.1/RPMS/libdm0-2.0.5-1.2mdk.ppc.rpm d660f273f56ddfacae43471f466d42d8 ppc/9.1/RPMS/libdm0-devel-2.0.5-1.2mdk.ppc.rpm f8f7274e7d7c8e8ad6717edcd28a6898 ppc/9.1/RPMS/xfsdump-2.0.3-1.1mdk.ppc.rpm b2e1d875fc760138b77cb15716724a49 ppc/9.1/SRPMS/dmapi-2.0.5-1.2mdk.src.rpm da0d22ec03d3d6f7b35f2e36c8b1f0e2 ppc/9.1/SRPMS/xfsdump-2.0.3-1.1mdk.src.rpm ______________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ______________________________________________________________________ To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig <filename> All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com> ______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: eog Advisory ID: MDKSA-2003:048 Date: April 16th, 2003 Affected versions: 9.0, 9.1, Corporate Server 2.1 ______________________________________________________________________ Problem Description: A vulnerability was discovered in the Eye of GNOME (EOG) program, version 2.2.0 and earlier, that is used for displaying graphics. A carefully crafted filename passed to eog could lead to the execution of arbitrary code as the user executing eog. ______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0165 ______________________________________________________________________ Updated Packages: Corporate Server 2.1: c2b6f3e1b6dc4676795d82fbb5d03270 corporate/2.1/RPMS/eog-1.0.2-1.1mdk.i586.rpm 3929458c9f13ccd8d102316b5180364f corporate/2.1/SRPMS/eog-1.0.2-1.1mdk.src.rpm Mandrake Linux 9.0: c2b6f3e1b6dc4676795d82fbb5d03270 9.0/RPMS/eog-1.0.2-1.1mdk.i586.rpm 3929458c9f13ccd8d102316b5180364f 9.0/SRPMS/eog-1.0.2-1.1mdk.src.rpm Mandrake Linux 9.1: 4e46d00b4bc623843e626890983dcb7d 9.1/RPMS/eog-2.2.0-1.1mdk.i586.rpm b2c35125798f3bfef1b43bb9e34e3869 9.1/SRPMS/eog-2.2.0-1.1mdk.src.rpm Mandrake Linux 9.1/PPC: 0e88dac227e691a431192c7005d78fc4 ppc/9.1/RPMS/eog-2.2.0-1.1mdk.ppc.rpm b2c35125798f3bfef1b43bb9e34e3869 ppc/9.1/SRPMS/eog-2.2.0-1.1mdk.src.rpm ______________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ______________________________________________________________________ To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig <filename> All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>
Mandrake Linux Advisories: xfsdump, eog
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis