___________________________________________________________________________ TurboLinux Security Announcement Vulnerable Packages: All versions prior to glibc-2.1.3-33 Date: 05/01/2001 5:00 PDT Affected TurboLinux versions:TL WorkStation Server 6.5, TL 6.1 WorkStation, All TurboLinux versions 6.0.5 and earlier TurboLinux Advisory ID#: TLSA2001009 Credits: Fixes made by Ulrich Drepper of Red Hat ___________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update the packages in your installation as soon as possible. ___________________________________________________________________________ 1. Problem Summary(From the BugTraq advisory at securityfocus.com, id#1634) A format string vulnerability exists in the locale subsystem. The locale subsystem consists of databases that contain language and country spe- cific information. Whenever a program needs to display a message to a user, it accesses a database within the subsystem and retrieves the proper language-specific string using the original message as the search key. The string(s) retrieved by the program are displayed using printf(). It is possible for an attacker to control the output by building and installing a custom database. 2. Impact(Also from the BugTraq advisory on securityfocus.com) An attacker can execute arbitrary code as a user with elevated privileges(root) using almost any setuid program on the vulnerable system. In some operating systems, it is also possible to exploit the problem remotely using the environment variable passing off options to telnetd, but the attacker must first install his customized database onto the target host. 3. Solution ************** If you are using TurboLinux Server 6.5: ********************* Update the packages from our ftp server by running the following command for each package: rpm -Uvh ftp_path_to_filename Where ftp_path_to_filename is the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-2.1.3-33.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-devel-2.1.3-33.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-profile-2.1.3-33.i386.rpm ************** If you are using TurboLinux Workstation 6.1: *************** First, uninstall the package glibc-2.1.3-2jaJP using the command: rpm -e glibc-2.1.3-2jaJP Next, install the following packages by running the following command: rpm -Uvh ftp_path_to_filename Where ftp_path_to_filename is the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-2.1.3-33.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-locale-2.1.3-10.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-profile-2.1.3-33.i386.rpm Finally, upgrade the package glibc-devel with the following command: rpm -Uvh --force ftp_path_to_filename Where ftp_path_to_filename is the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-devel-2.1.3-33.i386.rpm ************** If you are using TurboLinux Server 6.0.5: ***************** Update the package glibc from our ftp server by running the following command: rpm -Uvh --force ftp_path_to_filename Where ftp_path_to_filename is the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-2.1.3-33.i386.rpm Next, update the packages glibc-devel and glibc-profile from our ftp server by running the following command: rpm -Uvh ftp_path_to_filename Where ftp_path_to_filename is the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-devel-2.1.3-33.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-profile-2.1.3-33.i386.rpm ******************************************************************************* The source RPM can be downloaded here: ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/glibc-2.1.3-33.src.rpm **Note: You must rebuild and install the RPM if you choose to download and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE THE SECURITY HOLE. Please verify the MD5 checksums of the updates before you install: MD5 sum Package Name --------------------------------------------------------------------------- 985c3946d8b659ddc36c15428056be51 glibc-2.1.3-33.i386.rpm 115c757d2fd29d8ad6281e5bb96a08df glibc-locale-2.1.3-10.noarch.rpm 955fc79bddbf80918fe51810b2fd2045 glibc-devel-2.1.3-33.i386.rpm 61c21f8ce865de4ff319e162474bd4d5 glibc-profile-2.1.3-33.i386.rpm ada28c27fca1f259e1a4fee6686a5862 glibc-2.1.3-33.src.rpm ___________________________________________________________________________ These packages are GPG signed by Turbolinux for security. Our key is available here: http://www.turbolinux.com/security/tlgpgkey.asc To verify a package, use the following command: rpm --checksig name_of_rpm To examine only the md5sum, use the following command: rpm --checksig --nogpg name_of_rpm **Note: Checking GPG keys requires RPM 3.0 or higher. ___________________________________________________________________________ You can find more updates on our ftp server: ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation and Server security updates Our webpage for security announcements: http://www.turbolinux.com/security If you want to report vulnerabilities, please contact: security@turbolinux.com ___________________________________________________________________________ Subscribe to the TurboLinux Security Mailing lists: TL-security - A moderated list for discussing security issues TurboLinux products. Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security TL-security-announce - An announce-only mailing list for security updates and alerts. Subscribe at: http://www.turbolinux.com/mailman/listinfo/tl-security-announce