From tsl@trustix.com Thu Aug 8 03:18:40 2002 From: Trustix Secure Linux Advisor To: bugtraq@securityfocus.com Date: Tue, 30 Jul 2002 15:07:56 +0200 Subject: TSLSA-2002-0064 - util-linux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2002-0064 Package name: util-linux Summary: local problem Date: 2002-07-30 Affected versions: TSL 1.1, 1.2, 1.5 - -------------------------------------------------------------------------- Problem description: The chfn feature of the util-linux package shipped with all versions of TSL suffers from a locally exploitable file locking problem. With some interference from the system administrator a attacker could gain escalated privilegies. As a result of upgrading the some what old TSL 1.1 release, the bash packages for TSL 1.1 are also updated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0638 to this issue. Action: We recommend that all systems with this package installed are upgraded. Location: All TSL updates are available from Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Get SWUP from: Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at Questions? Check out our mailing lists: Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: The advisory itself is available from the errata pages at and or directly at MD5sums of the packages: - -------------------------------------------------------------------------- bc36648127dc1ea5fc9d6dc80506b5a9 ./1.5/SRPMS/util-linux-2.11f-7tr.src.rpm b4b7b0e7bb7ceea67ffe3c3e3e036a34 ./1.5/RPMS/util-linux-2.11f-7tr.i586.rpm 04369204aa84be55fd1d8f49debd0303 ./1.5/RPMS/mount-2.11f-7tr.i586.rpm 4c1805a7db97253e6f10dc8619539bdd ./1.5/RPMS/losetup-2.11f-7tr.i586.rpm bc36648127dc1ea5fc9d6dc80506b5a9 ./1.2/SRPMS/util-linux-2.11f-7tr.src.rpm 4899c74f0729313bf4ffb36134b7e97d ./1.2/RPMS/util-linux-2.11f-7tr.i586.rpm 41c030349b57ce43fc78a857dab06fda ./1.2/RPMS/mount-2.11f-7tr.i586.rpm 68c2d6e60a4c6f9beb11a7168179243d ./1.2/RPMS/losetup-2.11f-7tr.i586.rpm bc36648127dc1ea5fc9d6dc80506b5a9 ./1.1/SRPMS/util-linux-2.11f-7tr.src.rpm 5983543f12f5eafcb08e057c7f06d296 ./1.1/RPMS/util-linux-2.11f-7tr.i586.rpm 1885bec83a157c8f1053a47abd12937a ./1.1/RPMS/mount-2.11f-7tr.i586.rpm 56e7648d0acff52cd90bbc0ca39796aa ./1.1/RPMS/losetup-2.11f-7tr.i586.rpm 8f1f2c235fdf639162d4887fc012c473 ./1.1/SRPMS/bash-2.03-11tr.src.rpm 090ef872b22505d8d97e1aa641d6724b ./1.1/RPMS/bash-doc-2.03-11tr.i586.rpm 9d47b28a76c756c156e0678c93fef773 ./1.1/RPMS/bash-2.03-11tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9RlhmwRTcg4BxxS0RAukJAJwKtkcOyfPOHGF8fDscZ+PqlQNYxQCfYbR5 YRInF9CpsvSjOxDvlXDk/9I= =umpo -----END PGP SIGNATURE-----