[30159] in bugtraq
Immunix Secured OS 7+ fileutils update
daemon@ATHENA.MIT.EDU (Immunix Security Team)
Fri May 16 16:57:15 2003
Date: Fri, 16 May 2003 12:37:06 -0700
From: Immunix Security Team <security@wirex.com>
To: bugtraq@securityfocus.com
Message-ID: <20030516193706.GC25089@wirex.com>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="IpbVkmxF4tDyP/Kb"
Content-Disposition: inline
--IpbVkmxF4tDyP/Kb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: fileutils
Affected products: Immunix OS 7.0, 7+
Bugs fixed: CAN-2002-0435
Date: Fri May 16 2003
Advisory ID: IMNX-2003-7+-010-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Wojciech Purczynski discovered filesystem race conditions in the GNU
fileutils suite, that allows for local root compromise if root renames
or removes group- or world-writable directory trees.
This release fixes this problem by comparing (dev, inode) pairs before
and after chdir("..") calls. If the pairs don't match, an error is
returned. Thanks to Jim Meyering for the patch.
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fileutils-4.0x-3_im=
nx_1.i386.rpm
A source package for Immunix 7+ is available at:
http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/fileutils-4.0x-3_i=
mnx_1.src.rpm
Immunix OS 7+ md5sums:
14e6f08085ae88a6545d30c7428e30fd RPMS/fileutils-4.0x-3_imnx_1.i386.rpm
cb75eca0cd9832c317a89d2cf0871847 SRPMS/fileutils-4.0x-3_imnx_1.src.rpm
GPG verification: =
=20
Our public key is available at <http://wirex.com/security/GPG_KEY>. =
=20
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX=20
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--IpbVkmxF4tDyP/Kb
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj7FPeIACgkQVQcWL60UVMtJ4gCffk4PtGBAchKsjyPJz26Y2uMx
b7kAoJTZ8JjVaHjpMh2nYorlaG2NY9f6
=/nOF
-----END PGP SIGNATURE-----
--IpbVkmxF4tDyP/Kb--
