Date: Fri, 25 May 2001 14:07:02 -0700 (PDT) From: TurboLinux Security Team <security@www1.turbolinux.com> Subject: [TL-Security-Announce] TLSA2001024 pmake-2.1.35beta-2 ___________________________________________________________________________________________ Turbolinux Security Announcement Package: pmake Vulnerable Packages: All Turbolinux versions previous to 2.1.35beta-2 Date: 05/24/2001 5:00 PDT Affected Turbolinux platforms: TL 6.1 Workstation, All Turbolinux versions 6.0.5 and earlier Turbolinux Advisory ID#: TLSA2001024 ___________________________________________________________________________________________ A security hole has been discovered in the package pmake. Please update the packages in your installation as soon as possible. ___________________________________________________________________________________________ 1. Problem Summary In the Turbolinux platforms referenced above, the pmake binary is installed setuid root. 2. Impact A local user could run pmake with root privileges. This could lead to a possibility of an attacker exploiting vulnerabilities in other programs that pmake uses. 3. Solution Update the packages from our ftp server by running the following command: rpm -Uvh ftp_path_to_filename Where ftp_path_to_filename is the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/pmake-2.1.35beta-2.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/pmake-customs-2.1.35beta-2.i386.rpm The source RPM can be downloaded here: ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/pmake-2.1.35beta-2.src.rpm **Note: You must rebuild and install the RPM if you choose to download and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE THE SECURITY HOLE. ************************************IMPORTANT****************************************** In order for pmake to run properly, be sure to do the following: -Open up a terminal prompt and login as "root". -Go to /usr/lib/rpm and open the file called "macros". -Look for the directive called "%_mandir". Its current setting is: %{_prefix}/man Change it so that it reads: %{_prefix}/share/man ***************************************************************************************** Please verify the MD5 checksums of the updates before you install: MD5 sum Package Name ___________________________________________________________________________________________ 06872bdb7868177cdf04169814a25f02 pmake-2.1.35beta-2.i386.rpm c583682c3f2b3bd3d7854580b0e758e5 pmake-customs-2.1.35beta-2.i386.rpm 4cc72823376566879442057beb25cb33 pmake-2.1.35beta-2.src.rpm ___________________________________________________________________________________________ These packages are GPG signed by Turbolinux for security. Our key is available here: http://www.turbolinux.com/security/tlgpgkey.asc To verify a package, use the following command: rpm --checksig name_of_rpm To examine only the md5sum, use the following command: md5sum name_of_rpm **Note: Checking GPG keys requires RPM 3.0 or higher. ______________________________________________________________________________________________ You can find more updates on our ftp server: ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.x Workstation and Server security updates Our webpage for security announcements: http://www.turbolinux.com/security If you want to report vulnerabilities, please contact: security@turbolinux.com ______________________________________________________________________________________________ Subscribe to the Turbolinux Security Mailing lists: TL-security - A moderated list for discussing security issues Turbolinux products. Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security TL-security-announce - An announce-only mailing list for security updates and alerts. Subscribe at: http://www.turbolinux.com/mailman/listinfo/tl-security-announce