Mandrake Linux Advisory: mgetty, man

______________________________________________________________________
                Mandrake Linux Security Update Advisory
______________________________________________________________________
Package name:           mgetty
Advisory ID:            MDKSA-2003:053
Date:                   May 6th, 2003
Affected versions:      8.2, 9.0, Corporate Server 2.1,
                        Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
 Two vulnerabilities were discovered in mgetty versions prior to 1.1.29.
 An internal buffer could be overflowed if the caller name reported by
 the modem, via Caller ID information, was too long.  As well, the
 faxspool script that comes with mgetty used a simple permissions scheme
 to allow or deny fax transmission privileges.  Because the spooling
 directory used for outgoing faxes was world-writeable, this scheme was
 easily circumvented.
______________________________________________________________________
References:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1391
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1392
______________________________________________________________________
Updated Packages:
  
 Corporate Server 2.1:
 5e1ede90ae8b7a1d85ee4401457c9978  corporate/2.1/RPMS/mgetty-1.1.30-1.1mdk.i586.rpm
 1eee1e82acf1916394d0c2feb2f5c8ca  corporate/2.1/RPMS/mgetty-contrib-1.1.30-1.1mdk.i586.rpm
 e3584c7dc00fc6b1a035f4023863055b  corporate/2.1/RPMS/mgetty-sendfax-1.1.30-1.1mdk.i586.rpm
 f8a9d43f3026ab0bb6907b85935a8264  corporate/2.1/RPMS/mgetty-viewfax-1.1.30-1.1mdk.i586.rpm
 f348c6ca71a6db759524036db48d0478  corporate/2.1/RPMS/mgetty-voice-1.1.30-1.1mdk.i586.rpm
 5437feaca7e6119e52264e864865c8b2  corporate/2.1/SRPMS/mgetty-1.1.30-1.1mdk.src.rpm
 Mandrake Linux 8.2:
 330becd354c24f1f162a458d51136dde  8.2/RPMS/mgetty-1.1.30-1.1mdk.i586.rpm
 6e6a0b1de014ae355e0388c7bc16e552  8.2/RPMS/mgetty-contrib-1.1.30-1.1mdk.i586.rpm
 690d8229e630db08ffb618951a43753a  8.2/RPMS/mgetty-sendfax-1.1.30-1.1mdk.i586.rpm
 d7675aafd5b83feb50b66a7883b9986c  8.2/RPMS/mgetty-viewfax-1.1.30-1.1mdk.i586.rpm
 57de8b1c9976c50e8ed20850745515e8  8.2/RPMS/mgetty-voice-1.1.30-1.1mdk.i586.rpm
 5437feaca7e6119e52264e864865c8b2  8.2/SRPMS/mgetty-1.1.30-1.1mdk.src.rpm
 Mandrake Linux 8.2/PPC:
 76de414b985ba201c0ccf465370bf426  ppc/8.2/RPMS/mgetty-1.1.30-1.1mdk.ppc.rpm
 652f6653cf01b6a95e2254fb96fcec6c  ppc/8.2/RPMS/mgetty-contrib-1.1.30-1.1mdk.ppc.rpm
 7b81ccbc5d7c1f8c53a7db8ad0fc5163  ppc/8.2/RPMS/mgetty-sendfax-1.1.30-1.1mdk.ppc.rpm
 fbcf6dfba626046ccf48fcf6a20e0dc4  ppc/8.2/RPMS/mgetty-viewfax-1.1.30-1.1mdk.ppc.rpm
 76a969d0af7df4c32484fe47932029e6  ppc/8.2/RPMS/mgetty-voice-1.1.30-1.1mdk.ppc.rpm
 5437feaca7e6119e52264e864865c8b2  ppc/8.2/SRPMS/mgetty-1.1.30-1.1mdk.src.rpm
 Mandrake Linux 9.0:
 5e1ede90ae8b7a1d85ee4401457c9978  9.0/RPMS/mgetty-1.1.30-1.1mdk.i586.rpm
 1eee1e82acf1916394d0c2feb2f5c8ca  9.0/RPMS/mgetty-contrib-1.1.30-1.1mdk.i586.rpm
 e3584c7dc00fc6b1a035f4023863055b  9.0/RPMS/mgetty-sendfax-1.1.30-1.1mdk.i586.rpm
 f8a9d43f3026ab0bb6907b85935a8264  9.0/RPMS/mgetty-viewfax-1.1.30-1.1mdk.i586.rpm
 f348c6ca71a6db759524036db48d0478  9.0/RPMS/mgetty-voice-1.1.30-1.1mdk.i586.rpm
 5437feaca7e6119e52264e864865c8b2  9.0/SRPMS/mgetty-1.1.30-1.1mdk.src.rpm
 Multi Network Firewall 8.2:
 330becd354c24f1f162a458d51136dde  mnf8.2/RPMS/mgetty-1.1.30-1.1mdk.i586.rpm
 6e6a0b1de014ae355e0388c7bc16e552  mnf8.2/RPMS/mgetty-contrib-1.1.30-1.1mdk.i586.rpm
 5437feaca7e6119e52264e864865c8b2  mnf8.2/SRPMS/mgetty-1.1.30-1.1mdk.src.rpm
______________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
______________________________________________________________________
To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.
If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:
  http://www.mandrakesecure.net/en/ftp.php
Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:
  rpm --checksig <filename>
All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:
  https://www.mandrakesecure.net/RPM-GPG-KEYS
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
  http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:
  http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
  security_linux-mandrake.com
Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
______________________________________________________________________
                Mandrake Linux Security Update Advisory
______________________________________________________________________
Package name:           man
Advisory ID:            MDKSA-2003:054
Date:                   May 6th, 2003
Affected versions:      8.2, 9.0, 9.1, Corporate Server 2.1,
                        Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
 A difficult to exploit vulnerability was discovered in versions of man
 prior to 1.5l.  A bug exists in man that could cause a program named
 "unsafe" to be executed due to a malformed man file.  In order to
 exploit this bug, a local attacker would have to be able to get another
 user to read the malformed man file, and the attacker would also have
 to create a file called "unsafe" that would be located somewhere in the
 victim's path.
______________________________________________________________________
References:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0124
  http://marc.theaimsgroup.com/?l=bugtraq&m=104740927915154&w=2
______________________________________________________________________
Updated Packages:
  
 Corporate Server 2.1:
 9084b56436327c9fc11c462cec78028b  corporate/2.1/RPMS/man-1.5k-2.1mdk.i586.rpm
 ed2d05a401cd4dac5f33a92a24349e48  corporate/2.1/SRPMS/man-1.5k-2.1mdk.src.rpm
 Mandrake Linux 8.2:
 f3c74c1407535520c36b7559ae7783eb  8.2/RPMS/man-1.5j-4.1mdk.i586.rpm
 29838905428ab9f75fe06882010a5357  8.2/SRPMS/man-1.5j-4.1mdk.src.rpm
 Mandrake Linux 8.2/PPC:
 d4defc9d7ef42312b82aab960120c6e6  ppc/8.2/RPMS/man-1.5j-4.1mdk.ppc.rpm
 29838905428ab9f75fe06882010a5357  ppc/8.2/SRPMS/man-1.5j-4.1mdk.src.rpm
 Mandrake Linux 9.0:
 9084b56436327c9fc11c462cec78028b  9.0/RPMS/man-1.5k-2.1mdk.i586.rpm
 ed2d05a401cd4dac5f33a92a24349e48  9.0/SRPMS/man-1.5k-2.1mdk.src.rpm
 Mandrake Linux 9.1:
 7ba3b8c8db57f51af6d22ed568c226e0  9.1/RPMS/man-1.5k-8.1mdk.i586.rpm
 961c191112d1c0c6059e97fd292d56e9  9.1/SRPMS/man-1.5k-8.1mdk.src.rpm
 Mandrake Linux 9.1/PPC:
 5c8df874431af0e945be6d7df3a6364e  ppc/9.1/RPMS/man-1.5k-8.1mdk.ppc.rpm
 961c191112d1c0c6059e97fd292d56e9  ppc/9.1/SRPMS/man-1.5k-8.1mdk.src.rpm
 Multi Network Firewall 8.2:
 f3c74c1407535520c36b7559ae7783eb  mnf8.2/RPMS/man-1.5j-4.1mdk.i586.rpm
 29838905428ab9f75fe06882010a5357  mnf8.2/SRPMS/man-1.5j-4.1mdk.src.rpm
______________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
______________________________________________________________________
To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.
If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:
  http://www.mandrakesecure.net/en/ftp.php
Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:
  rpm --checksig <filename>
All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:
  https://www.mandrakesecure.net/RPM-GPG-KEYS
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
  http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:
  http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
  security_linux-mandrake.com
Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>