---

Home Security

SOT Linux Advisory: gdm2, perl

By

[ Thanks to SOT Security
Team for these advisories. ]

SOT Linux Security Advisory

Subject: Updated gdm2 package for SOT Linux 2003
Advisory ID: SLSA-2003:37
Date: Tuesday, August 26, 2003
Product: SOT Linux 2003

1. Problem description

GDM is the GNOME Display Manager for X.

Versions of GDM prior to 2.4.1.6
contain a bug where GDM will run as root when examining the
~/.xsession-errors file when using the “examine session errors”
feature, allowing local users the ability to read any text file on
the system by creating a symlink. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2003-0547 to this issue.

Also addressed by these erratum packages are two problems in the
X Display Manager Control Protocol (XDMCP) which allow a denial of
service attack (DoS) by crashing the gdm daemon. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the names
CAN-2003-0548 and CAN-2003-0549 to these issues.

Users of GDM are advised to upgrade to these erratum
packages.

2. Updated packages

SOT Linux 2003 Desktop:

i386:

ftp://ftp.sot.com/updates/2003/Desktop/i386/gdm2-2.4.1.3-2.i386.rpm

SRPMS:

ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/gdm2-2.4.1.3-2.src.rpm

SOT Linux 2003 Server:

i386:

ftp://ftp.sot.com/updates/2003/Server/i386/gdm2-2.4.1.3-2.i386.rpm

SRPMS:

ftp://ftp.sot.com/updates/2003/Server/SRPMS/gdm2-2.4.1.3-2.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package
from the SOT Linux FTP site (use the links above) or from one of
our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh
<filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm
–checksig <filename>

If you wish to verify the integrity of the downloaded package,
run “md5sum <filename>” and compare the output with data
given below.

Package Name MD5 sum
/Desktop/i386/gdm2-2.4.1.3-2.i386.rpm
8c84f306490f3781821ec08d45bd84f3
/Desktop/SRPMS/gdm2-2.4.1.3-2.src.rpm
3c8f5b2c67554648a4c8a2c781c50afc
/Server/i386/gdm2-2.4.1.3-2.i386.rpm
8c84f306490f3781821ec08d45bd84f3
/Server/SRPMS/gdm2-2.4.1.3-2.src.rpm
3c8f5b2c67554648a4c8a2c781c50afc

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0547

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0548

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0549

Copyright(c) 2001-2003 SOT

SOT Linux Security Advisory

Subject: Updated perl package for SOT Linux 2003
Advisory ID: SLSA-2003:39
Date: Wednesday, August 27, 2003
Product: SOT Linux 2003

1. Problem description

Perl is a high-level interpreted programming language well known
for its flexibility and ability to work with text streams.

[email protected]
reported a cross site scripting vulnerability in the CGI.pm perl
module. This module is used to facilitate the creation of web forms
and is part of the perl-modules RPM package.

It is recommended that all users of the CGI.pm module upgrade
their packages.

2. Updated packages

SOT Linux 2003 Desktop:

i386:

ftp://ftp.sot.com/updates/2003/Desktop/i386/perl-5.8.0-3.i386.rpm

SRPMS:

ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/perl-5.8.0-3.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/perl-5.8.0-3.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/perl-5.8.0-3.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package
from the SOT Linux FTP site (use the links above) or from one of
our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh
<filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm
–checksig <filename>

If you wish to verify the integrity of the downloaded package,
run “md5sum <filename>” and compare the output with data
given below.

Package Name MD5 sum
/Desktop/i386/perl-5.8.0-3.i386.rpm
b6dcb1281ed82092fa5ad416ceee92e6
/Desktop/SRPMS/perl-5.8.0-3.src.rpm
fbb3d13a704067d50571236a2c151f03
/Server/i386/perl-5.8.0-3.i386.rpm
b6dcb1281ed82092fa5ad416ceee92e6
/Server/SRPMS/perl-5.8.0-3.src.rpm
fbb3d13a704067d50571236a2c151f03

5. References

http://eyeonsecurity.org/advisories/CGI.pm/adv.html

Copyright(c) 2001-2003 SOT

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.