OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 15-Jun-2005 15:40:28
Branch: HEAD Handle: 2005061514402700
Added files:
openpkg-web/security OpenPKG-SA-2005.011-shtool.txt
Log:
initial draft for GNU shtool mega advisory
Summary:
Revision Changes Path
1.1 +126 -0 openpkg-web/security/OpenPKG-SA-2005.011-shtool.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2005.011-shtool.txt
============================================================================
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.011-shtool.txt
--- /dev/null 2005-06-15 15:40:23 +0200
+++ OpenPKG-SA-2005.011-shtool.txt 2005-06-15 15:40:28 +0200
@@ -0,0 +1,126 @@
+________________________________________________________________________
+
+OpenPKG Security Advisory The OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2005.011 15-Jun-2005
+________________________________________________________________________
+
+Package: shtool
+Vulnerability: insecure temporary file handling
+OpenPKG Specific: no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= shtool-2.0.1-20050324 >= shtool-2.0.2-20050615
+ <= openpkg-20050613-20050613 >=
openpkg-20050615-20050615
+ <= al-0.9.1-20040207 >= al-0.9.1-20050615
+ <= as-gui-0.7.7-20040920 >= as-gui-0.7.7-20050615
+ <= cfg-0.9.9-20050218 >= cfg-0.9.9-20050615
+ <= ettercap-0.7.3-20050529 >=
ettercap-0.7.3-20050615
+ <= ex-1.0.4-20050610 >= ex-1.0.4-20050615
+ <= flow2rrd-0.9.1-20041230 >=
flow2rrd-0.9.1-20050615
+ <= fsl-1.6.0-20050308 >= fsl-1.6.0-20050615
+ <= getopt-20030307-20040207 >=
getopt-20030307-20050615
+ <= iselect-1.3.0-20041008 >= iselect-1.3.0-20050615
+ <= jitterbug-1.6.2.3-20040203 >=
jitterbug-1.6.2.3-20050615
+ <= l2-0.9.10-20050308 >= l2-0.9.10-20050615
+ <= libnetdude-0.7-20050506 >=
libnetdude-0.7-20050615
+ <= libpcapnav-0.6-20050506 >=
libpcapnav-0.6-20050615
+ <= libradius-20040920-20040920 >=
libradius-20040920-20050615
+ <= lmtp2nntp-1.3.0-20041207 >=
lmtp2nntp-1.3.0-20050615
+ <= lzo-2.00-20050530 >= lzo-2.00-20050615
+ <= lzop-1.01-20050530 >= lzop-1.01-20050615
+ <= mm-1.3.1-20041018 >= mm-1.3.1-20050615
+ <= netdude-0.4.6-20050506 >= netdude-0.4.6-20050615
+ <= newt-0.51.6.7-20050323 >= newt-0.51.6.7-20050615
+ <= nmap-3.81-20050207 >= nmap-3.81-20050615
+ <= openldap-2.2.27-20050611 >=
openldap-2.2.27-20050615
+ <= openpkg-rc-0.7.3-20040207 >=
openpkg-rc-0.7.3-20050615
+ <= petidomo-4.0b6-20050215 >=
petidomo-4.0b6-20050615
+ <= php-4.3.11-20050407 >= php-4.3.11-20050615
+ <= php5-5.0.4-20050611 >= php5-5.0.4-20050615
+ <= pth-2.0.4-20050218 >= pth-2.0.4-20050615
+ <= sa-1.2.4-20050308 >= sa-1.2.4-20050615
+ <= shiela-1.1.5-20050112 >= shiela-1.1.5-20050615
+ <= sio-0.9.2-20050610 >= sio-0.9.2-20050615
+ <= snmpdx-0.2.10-20041018 >= snmpdx-0.2.10-20050615
+ <= str-0.9.10-20050124 >= str-0.9.10-20050615
+ <= svs-1.0.2-20050206 >= svs-1.0.2-20050615
+ <= uuid-1.2.0-20050407 >= uuid-1.2.0-20050615
+ <= val-0.9.3-20050610 >= val-0.9.3-20050615
+ <= var-1.1.2-20041031 >= var-1.1.2-20050615
+ <= wml-2.0.9-20050613 >= wml-2.0.9-20050615
+ <= xds-0.9.2-20050603 >= xds-0.9.2-20050615
+OpenPKG 2.2 <= shtool-2.0.1-2.3.0 >= shtool-2.0.1-2.3.1
+ <= openpkg-2.3.2-2.3.2 >= openpkg-2.3.3-2.3.3
+ FIXME
+OpenPKG 2.1 <= shtool-2.0.1-2.2.0 >= shtool-2.0.1-2.2.1
+ <= openpkg-2.2.3-2.2.3 >= openpkg-2.2.4-2.2.4
+ FIXME
+
+Affected Releases: Dependent Packages:
+OpenPKG CURRENT ...
+OpenPKG 2.2 ...
+OpenPKG 2.1 ...
+
+Description:
+ Eric Romang has discovered [1] that GNU shtool [0] insecurely creates
+ temporary files with predictable filenames, potentially allowing a
+ local user to overwrite arbitrary files with a "symlink" attack. The
+ Common Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2005-1751 [2] to the problem. On closer inspection, the Gentoo
+ Security team discovered that the GNU shtool temporary file, once
+ created, was being reused insecurely, too. The Common Vulnerabilities
+ and Exposures (CVE) project assigned the id CAN-2005-1759 [3] to the
+ problem.
+
+ Please check whether you are affected by running "<prefix>/bin/openpkg
+ rpm -q shtool". If you have the "shtool" package installed and its
+ version is affected (see above), we recommend that you immediately
+ upgrade it (see Solution) and its dependent packages (see above), if
+ any, too [4][5].
+
+Solution:
+ Select the updated source RPM appropriate for your OpenPKG release
+ [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
+ location, verify its integrity [10], build a corresponding binary RPM
+ from it [3] and update your OpenPKG installation by applying the
+ binary RPM [5]. For the most recent release OpenPKG 2.3, perform the
+ following operations to permanently fix the security problem (for
+ other releases adjust accordingly).
+
+ $ ftp ftp.openpkg.org
+ ftp> bin
+ ftp> cd release/2.3/UPD
+ ftp> get shtool-2.0.2-2.3.1.src.rpm
+ ftp> bye
+ $ <prefix>/bin/openpkg rpm -v --checksig shtool-1.2.3-2.2.1.src.rpm
+ $ <prefix>/bin/openpkg rpm --rebuild shtool-1.2.3-2.2.1.src.rpm
+ $ su -
+ # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/shtool-1.2.3-2.2.1.*.rpm
+
+ Additionally, we recommend that you rebuild and reinstall
+ all dependent packages (see above), if any, too [4][5].
+________________________________________________________________________
+
+References:
+ [0] http://www.gnu.org/software/shtool/
+ [1] http://www.zataz.net/adviso/shtool-05252005.txt
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751
+ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1759
+ [4] http://www.openpkg.org/tutorial.html#regular-source
+ [5] http://www.openpkg.org/tutorial.html#regular-binary
+ [6] ftp://ftp.openpkg.org/release/2.2/UPD/shtool-1.2.3-2.2.1.src.rpm
+ [7] ftp://ftp.openpkg.org/release/2.1/UPD/shtool-1.2.2-2.1.1.src.rpm
+ [8] ftp://ftp.openpkg.org/release/2.2/UPD/
+ [9] ftp://ftp.openpkg.org/release/2.1/UPD/
+ [10] http://www.openpkg.org/security.html#signature
+________________________________________________________________________
+
+For security reasons, this advisory was digitally signed with the
+OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
+OpenPKG project which you can retrieve from http://pgp.openpkg.org and
+hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
+for details on how to verify the integrity of this advisory.
+________________________________________________________________________
+
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
