From security@mandriva.com Fri Oct 21 03:00:35 2005 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Fri, 21 Oct 2005 00:20:59 -0600 Subject: [Full-disclosure] MDKSA-2005:188 - Updated graphviz packages fix temporary file vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: graphviz Advisory ID: MDKSA-2005:188 Date: October 20th, 2005 Affected versions: 10.2, 2006.0 ______________________________________________________________________ Problem Description: Javier Fernández-Sanguino Peña discovered insecure temporary file creation in graphviz, a rich set of graph drawing tools, that can be exploited to overwrite arbitrary files by a local attacker. The updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2965 ______________________________________________________________________ Updated Packages: Mandrivalinux 10.2: 9d0b8399200df96484fd7468a008b76b 10.2/RPMS/graphviz-2.2-3.1.102mdk.i586.rpm 619146bf760e72b75edfc4574fdc4e46 10.2/RPMS/libgraphviz7-2.2-3.1.102mdk.i586.rpm a7be06004d84c8cd9c12e5116ebd4b7c 10.2/RPMS/libgraphviz7-devel-2.2-3.1.102mdk.i586.rpm b84a713fefe4b4a9034fb83d0ce7317d 10.2/RPMS/libgraphviztcl7-2.2-3.1.102mdk.i586.rpm 68b886a29dc2d462f9f244bbac5579db 10.2/RPMS/libgraphviztcl7-devel-2.2-3.1.102mdk.i586.rpm aeb17f5e10328aab9ad91bf0b8cad36e 10.2/SRPMS/graphviz-2.2-3.1.102mdk.src.rpm Mandrivalinux 10.2/X86_64: b9a03ec322f71cdf568cbf34921b2788 x86_64/10.2/RPMS/graphviz-2.2-3.1.102mdk.x86_64.rpm 247106d295206c27fefd346c055552cd x86_64/10.2/RPMS/lib64graphviz7-2.2-3.1.102mdk.x86_64.rpm 2c804f5c76a2644f3446c81acdac7aac x86_64/10.2/RPMS/lib64graphviz7-devel-2.2-3.1.102mdk.x86_64.rpm 9d9e27f634afaed1a66d581d578898e9 x86_64/10.2/RPMS/lib64graphviztcl7-2.2-3.1.102mdk.x86_64.rpm a5eab811ca6f0dd579932e441452a130 x86_64/10.2/RPMS/lib64graphviztcl7-devel-2.2-3.1.102mdk.x86_64.rpm aeb17f5e10328aab9ad91bf0b8cad36e x86_64/10.2/SRPMS/graphviz-2.2-3.1.102mdk.src.rpm Mandrivalinux 2006.0: caebfdb43cbd357c8abc549160613983 2006.0/RPMS/graphviz-2.2.1-3.1.20060mdk.i586.rpm bf374b0bc329f4dc68b34b9fe3b5fd3e 2006.0/RPMS/libgraphviz7-2.2.1-3.1.20060mdk.i586.rpm d7284cdc65c9f5339d14be05ae1b2136 2006.0/RPMS/libgraphviz7-devel-2.2.1-3.1.20060mdk.i586.rpm 926fa5fdcd6e919205ef50433ecf39a0 2006.0/RPMS/libgraphviztcl7-2.2.1-3.1.20060mdk.i586.rpm 1bd24268a3d2735b47c2492bb21f63bc 2006.0/RPMS/libgraphviztcl7-devel-2.2.1-3.1.20060mdk.i586.rpm 526f759a2f2ebbbbc29207c0b8e579ed 2006.0/SRPMS/graphviz-2.2.1-3.1.20060mdk.src.rpm Mandrivalinux 2006.0/X86_64: 5a015d5e8932b6fa63a5b13eaf285d60 x86_64/2006.0/RPMS/graphviz-2.2.1-3.1.20060mdk.x86_64.rpm 3a8a76af72aaa2350f71250e9a3d8bb0 x86_64/2006.0/RPMS/lib64graphviz7-2.2.1-3.1.20060mdk.x86_64.rpm 73cae708e93dbdd454f8c944f3242f19 x86_64/2006.0/RPMS/lib64graphviz7-devel-2.2.1-3.1.20060mdk.x86_64.rpm 7f59d48923080c9f81af0041c2d5a8a4 x86_64/2006.0/RPMS/lib64graphviztcl7-2.2.1-3.1.20060mdk.x86_64.rpm 7e582a89f65b33bf55a28200cef0d51e x86_64/2006.0/RPMS/lib64graphviztcl7-devel-2.2.1-3.1.20060mdk.x86_64.rpm 526f759a2f2ebbbbc29207c0b8e579ed x86_64/2006.0/SRPMS/graphviz-2.2.1-3.1.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQFDWIjKmqjQ0CJFipgRAjCgAKDQM6cllVNyPXlVxTD7mgBbkW3giQCY75xo 697WJt3QgPdKwmfLQnIaew== =mwcy -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/