[guru] [marcdeslauriers@videotron.ca: [FLSA-2005:152848] Updated glibc packages fix security issues]
DATE: Tue, 15 Nov 2005 11:11:57 +0100
A Fedora Legacy project kihozta a glibc csomag javítását. A hiba néhány
script-ben a kockázatos átmeneti állomány kezelés, valamint az LD_DEBUG
és LD_SHOW_AUXV változók figyelembe vétele setuid alklamazások esetén.
----- Forwarded message from Marc Deslauriers <marcdeslauriers@videotron.ca> -----
Date: Sun, 13 Nov 2005 23:17:43 -0500
From: Marc Deslauriers <marcdeslauriers@videotron.ca>
Subject: [FLSA-2005:152848] Updated glibc packages fix security issues
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated glibc packages fix security issues
Advisory ID: FLSA:152848
Issue date: 2005-11-13
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-0968 CVE-2004-1382 CVE-2004-1453
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated glibc packages that address several bugs are now available.
The GNU libc packages (known as glibc) contain the standard C libraries
used by applications.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
3. Problem description:
Flaws in the catchsegv and glibcbug scripts were discovered. A local
user could utilize these flaws to overwrite files via a symlink attack
on temporary files. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2004-0968 and CVE-2004-1382
to these issues.
It was discovered that the use of LD_DEBUG and LD_SHOW_AUXV were not
restricted for a setuid program. A local user could utilize this flaw to
gain information, such as the list of symbols used by the program. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2004-1453 to this issue.
Users of glibc are advised to upgrade to these erratum packages that
remove the unecessary glibcbug script and contain backported patches to
correct these other issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152848
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.6.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.6.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.6.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.6.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.6.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.6.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.6.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.2.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/nscd-2.3.2-27.9.7.2.legacy.i386.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/glibc-2.3.2-101.4.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i686.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-common-2.3.2-101.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-debug-2.3.2-101.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-devel-2.3.2-101.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-headers-2.3.2-101.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-profile-2.3.2-101.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-utils-2.3.2-101.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/nptl-devel-2.3.2-101.4.2.legacy.i686.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/nscd-2.3.2-101.4.2.legacy.i386.rpm
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/glibc-2.3.3-27.1.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i686.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-common-2.3.3-27.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-devel-2.3.3-27.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-headers-2.3.3-27.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-profile-2.3.3-27.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-utils-2.3.3-27.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/nptl-devel-2.3.3-27.1.1.legacy.i686.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/nscd-2.3.3-27.1.1.legacy.i386.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
76bcec5fdd862df2fffaeeaeacbfcd8c53dd6a28
redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i386.rpm
79dd43763e464959889867bb5f28c0935d31e401
redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i686.rpm
f83509fe544e517cfa5f40829b2921155eed6930
redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.6.i386.rpm
a4065db0ddfcec1a95dade4756b7af76da487059
redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i386.rpm
a88e249e0747927d7b0607f24202f4772c2f5f51
redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i686.rpm
bbd6858e1409960769b945af03f13e0732b35ec2
redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.6.i386.rpm
4f76f3f2267edb91ac130ad18942b34741314914
redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.6.i386.rpm
3996fc2d6e306a127d03d468bde83e821b6ca2f9
redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.6.i386.rpm
2916fbe09c40b3961add814aaebda7e651799342
redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.6.i386.rpm
2250cf7ccb19268cc5b103d17512f877a1e9756d
redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.6.i386.rpm
d3178ba384c31d0e4b53b7c79f8c1f3d4f2e63c2
redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.6.src.rpm
6b01d43cc41177a83c765862be0e3802df307c61
redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i386.rpm
b4c28abc5d318f53f22772bc069665adc4f9d5f3
redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i686.rpm
8ea462b77d16513f0623409219cb297fa95fe6ba
redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.2.legacy.i386.rpm
94c1f526eed545959a9b60ac79deef88c0c5c9a0
redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.2.legacy.i386.rpm
b8fe3480b249761c468d4019c3b9ac0358068475
redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.2.legacy.i386.rpm
a01030615e5b874b4225e9cad4e1c9ccc2f4bb33
redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.2.legacy.i386.rpm
d20ce4f39ed7ffc6c8cb81c8a84b229a2158d81e
redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.2.legacy.i386.rpm
e20b1e22cfbc1c0eed675b6b6d99ca8d0213f725
redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.2.legacy.i686.rpm
8684b6e78d7230f8708e5e2a016264baf6ab7ac7
redhat/9/updates/i386/nscd-2.3.2-27.9.7.2.legacy.i386.rpm
5afb7ec9ec9f9b3bb36d372104ec647d7c6d9ebb
redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.2.legacy.src.rpm
ef743504f28c797cd9a807dd8a769a837eda8525
fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i386.rpm
c3dd3abcc811671d63f6033e3ed3ee9806ad0f93
fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i686.rpm
cf814c1e573db45e76b63bce49b40876fdd42e28
fedora/1/updates/i386/glibc-common-2.3.2-101.4.2.legacy.i386.rpm
4af7cb248abe614adace704520ab969717d8056b
fedora/1/updates/i386/glibc-debug-2.3.2-101.4.2.legacy.i386.rpm
00809ff8abcf096091592e065dbc859a1fc413bd
fedora/1/updates/i386/glibc-devel-2.3.2-101.4.2.legacy.i386.rpm
8417a8697d7929e866cd48be44bcd4e9b29ef8a2
fedora/1/updates/i386/glibc-headers-2.3.2-101.4.2.legacy.i386.rpm
309bb357b23d00d858b73a132af556862ce735fc
fedora/1/updates/i386/glibc-profile-2.3.2-101.4.2.legacy.i386.rpm
c7add2f20742acab29c47ec7f42bc789d6111aec
fedora/1/updates/i386/glibc-utils-2.3.2-101.4.2.legacy.i386.rpm
5108e73e4fce7fda4c383a5f4a360a2ec3632a4e
fedora/1/updates/i386/nptl-devel-2.3.2-101.4.2.legacy.i686.rpm
ca70e82a96ad014145357feb9b8b3222314afd7e
fedora/1/updates/i386/nscd-2.3.2-101.4.2.legacy.i386.rpm
30cec9b26bb5341afbb6b7698b3c092e395acb65
fedora/1/updates/SRPMS/glibc-2.3.2-101.4.2.legacy.src.rpm
9ea2cf3d307635ed6be265077ec9594d73030c71
fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i386.rpm
120833cba0615427157a51f69a6e73403f788667
fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i686.rpm
d3c27007cab83e778ba7ba5c752077b865c7d618
fedora/2/updates/i386/glibc-common-2.3.3-27.1.1.legacy.i386.rpm
ccc5d22e66a7c435b0e1008704ee16856e4717ec
fedora/2/updates/i386/glibc-devel-2.3.3-27.1.1.legacy.i386.rpm
b11bd48eee48b1b2fd6cc9d52bbbc01247533bb0
fedora/2/updates/i386/glibc-headers-2.3.3-27.1.1.legacy.i386.rpm
2a3c79e2f428742dfef1f15a1bbc64a80c48491e
fedora/2/updates/i386/glibc-profile-2.3.3-27.1.1.legacy.i386.rpm
081977a5f9cd0812cd1db6230ff51782d17c83e0
fedora/2/updates/i386/glibc-utils-2.3.3-27.1.1.legacy.i386.rpm
be2cc7c357c799a8ad8288e3c99d9c53ea89692e
fedora/2/updates/i386/nptl-devel-2.3.3-27.1.1.legacy.i686.rpm
d1a9e1c189d58b74a318dd1908cf6b9c0202ac9b
fedora/2/updates/i386/nscd-2.3.3-27.1.1.legacy.i386.rpm
baafd5d75a788cc578f24fb83280052f3b8422db
fedora/2/updates/SRPMS/glibc-2.3.3-27.1.1.legacy.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1453
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
----- End forwarded message -----