OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 15-Jun-2005 15:40:28 Branch: HEAD Handle: 2005061514402700 Added files: openpkg-web/security OpenPKG-SA-2005.011-shtool.txt Log: initial draft for GNU shtool mega advisory Summary: Revision Changes Path 1.1 +126 -0 openpkg-web/security/OpenPKG-SA-2005.011-shtool.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.011-shtool.txt ============================================================================ $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.011-shtool.txt --- /dev/null 2005-06-15 15:40:23 +0200 +++ OpenPKG-SA-2005.011-shtool.txt 2005-06-15 15:40:28 +0200 @@ -0,0 +1,126 @@ +________________________________________________________________________ + +OpenPKG Security Advisory The OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.011 15-Jun-2005 +________________________________________________________________________ + +Package: shtool +Vulnerability: insecure temporary file handling +OpenPKG Specific: no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= shtool-2.0.1-20050324 >= shtool-2.0.2-20050615 + <= openpkg-20050613-20050613 >= openpkg-20050615-20050615 + <= al-0.9.1-20040207 >= al-0.9.1-20050615 + <= as-gui-0.7.7-20040920 >= as-gui-0.7.7-20050615 + <= cfg-0.9.9-20050218 >= cfg-0.9.9-20050615 + <= ettercap-0.7.3-20050529 >= ettercap-0.7.3-20050615 + <= ex-1.0.4-20050610 >= ex-1.0.4-20050615 + <= flow2rrd-0.9.1-20041230 >= flow2rrd-0.9.1-20050615 + <= fsl-1.6.0-20050308 >= fsl-1.6.0-20050615 + <= getopt-20030307-20040207 >= getopt-20030307-20050615 + <= iselect-1.3.0-20041008 >= iselect-1.3.0-20050615 + <= jitterbug-1.6.2.3-20040203 >= jitterbug-1.6.2.3-20050615 + <= l2-0.9.10-20050308 >= l2-0.9.10-20050615 + <= libnetdude-0.7-20050506 >= libnetdude-0.7-20050615 + <= libpcapnav-0.6-20050506 >= libpcapnav-0.6-20050615 + <= libradius-20040920-20040920 >= libradius-20040920-20050615 + <= lmtp2nntp-1.3.0-20041207 >= lmtp2nntp-1.3.0-20050615 + <= lzo-2.00-20050530 >= lzo-2.00-20050615 + <= lzop-1.01-20050530 >= lzop-1.01-20050615 + <= mm-1.3.1-20041018 >= mm-1.3.1-20050615 + <= netdude-0.4.6-20050506 >= netdude-0.4.6-20050615 + <= newt-0.51.6.7-20050323 >= newt-0.51.6.7-20050615 + <= nmap-3.81-20050207 >= nmap-3.81-20050615 + <= openldap-2.2.27-20050611 >= openldap-2.2.27-20050615 + <= openpkg-rc-0.7.3-20040207 >= openpkg-rc-0.7.3-20050615 + <= petidomo-4.0b6-20050215 >= petidomo-4.0b6-20050615 + <= php-4.3.11-20050407 >= php-4.3.11-20050615 + <= php5-5.0.4-20050611 >= php5-5.0.4-20050615 + <= pth-2.0.4-20050218 >= pth-2.0.4-20050615 + <= sa-1.2.4-20050308 >= sa-1.2.4-20050615 + <= shiela-1.1.5-20050112 >= shiela-1.1.5-20050615 + <= sio-0.9.2-20050610 >= sio-0.9.2-20050615 + <= snmpdx-0.2.10-20041018 >= snmpdx-0.2.10-20050615 + <= str-0.9.10-20050124 >= str-0.9.10-20050615 + <= svs-1.0.2-20050206 >= svs-1.0.2-20050615 + <= uuid-1.2.0-20050407 >= uuid-1.2.0-20050615 + <= val-0.9.3-20050610 >= val-0.9.3-20050615 + <= var-1.1.2-20041031 >= var-1.1.2-20050615 + <= wml-2.0.9-20050613 >= wml-2.0.9-20050615 + <= xds-0.9.2-20050603 >= xds-0.9.2-20050615 +OpenPKG 2.2 <= shtool-2.0.1-2.3.0 >= shtool-2.0.1-2.3.1 + <= openpkg-2.3.2-2.3.2 >= openpkg-2.3.3-2.3.3 + FIXME +OpenPKG 2.1 <= shtool-2.0.1-2.2.0 >= shtool-2.0.1-2.2.1 + <= openpkg-2.2.3-2.2.3 >= openpkg-2.2.4-2.2.4 + FIXME + +Affected Releases: Dependent Packages: +OpenPKG CURRENT ... +OpenPKG 2.2 ... +OpenPKG 2.1 ... + +Description: + Eric Romang has discovered [1] that GNU shtool [0] insecurely creates + temporary files with predictable filenames, potentially allowing a + local user to overwrite arbitrary files with a "symlink" attack. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2005-1751 [2] to the problem. On closer inspection, the Gentoo + Security team discovered that the GNU shtool temporary file, once + created, was being reused insecurely, too. The Common Vulnerabilities + and Exposures (CVE) project assigned the id CAN-2005-1759 [3] to the + problem. + + Please check whether you are affected by running "<prefix>/bin/openpkg + rpm -q shtool". If you have the "shtool" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution) and its dependent packages (see above), if + any, too [4][5]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror + location, verify its integrity [10], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the + binary RPM [5]. For the most recent release OpenPKG 2.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.3/UPD + ftp> get shtool-2.0.2-2.3.1.src.rpm + ftp> bye + $ <prefix>/bin/openpkg rpm -v --checksig shtool-1.2.3-2.2.1.src.rpm + $ <prefix>/bin/openpkg rpm --rebuild shtool-1.2.3-2.2.1.src.rpm + $ su - + # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/shtool-1.2.3-2.2.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too [4][5]. +________________________________________________________________________ + +References: + [0] http://www.gnu.org/software/shtool/ + [1] http://www.zataz.net/adviso/shtool-05252005.txt + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751 + [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1759 + [4] http://www.openpkg.org/tutorial.html#regular-source + [5] http://www.openpkg.org/tutorial.html#regular-binary + [6] ftp://ftp.openpkg.org/release/2.2/UPD/shtool-1.2.3-2.2.1.src.rpm + [7] ftp://ftp.openpkg.org/release/2.1/UPD/shtool-1.2.2-2.1.1.src.rpm + [8] ftp://ftp.openpkg.org/release/2.2/UPD/ + [9] ftp://ftp.openpkg.org/release/2.1/UPD/ + [10] http://www.openpkg.org/security.html#signature +________________________________________________________________________ + +For security reasons, this advisory was digitally signed with the +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the +OpenPKG project which you can retrieve from http://pgp.openpkg.org and +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ +for details on how to verify the integrity of this advisory. +________________________________________________________________________ + @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org