drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Pufferüberlauf in glibc
Name: |
Pufferüberlauf in glibc
|
|
ID: |
TLSA2001009 |
|
Distribution: |
TurboLinux |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Fr, 4. Mai 2001, 13:00 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
GNU C library |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
---------------------------------------------------------------------------
Turbolinux Security Announcement
Vulnerable Packages: All versions prior to glibc-2.1.3-33 Date: 05/01/2001 5:00 PDT
Affected Turbolinux versions:TL WorkStation Server 6.5, TL 6.1 WorkStation, All Turbolinux versions 6.0.5 and earlier
Turbolinux Advisory ID#: TLSA2001009
Credits: Fixes made by Ulrich Drepper of Red Hat
___________________________________________________________________________
A security hole was discovered in the package mentioned above. Please update the packages in your installation as soon as possible. ___________________________________________________________________________
1. Problem Summary(From the BugTraq advisory at securityfocus.com,id#1634)
A format string vulnerability exists in the locale subsystem. The locale subsystem consists of databases that contain language and country specific information. Whenever a program needs to display a message to a user, it accesses a database within the subsystem and retrieves the proper language-specific string using the original message as the search key. The string(s) retrieved by the program are displayed using printf(). It is possible for an attacker to control the output by building and installing a custom database.
2. Impact(Also from the BugTraq advisory on securityfocus.com)
An attacker can execute arbitrary code as a user with elevated privileges(root) using almost any setuid program on the vulnerable system.
In some operating systems, it is also possible to exploit the problem remotely using the environment variable passing off options to telnetd, but the attacker must first install his customized database onto the target host.
3. Solution
************** If you are using Turbolinux Server 6.5: ********************* Update the packages from our ftp server by running the following command for each package:
rpm -Uvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-2.1.3-33.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-devel-2.1.3-33.i386.rpm glibc-profile-2.1.3-33.i386.rpm
************** If you are using Turbolinux Workstation 6.1: ***************
First, uninstall the package glibc-2.1.3-2jaJP using the command:
rpm -e glibc-2.1.3-2jaJP
Next, install the following packages by running the following command:
rpm -Uvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-2.1.3-33.i386.rpm glibc-locale-2.1.3-10.i386.rpm glibc-profile-2.1.3-33.i386.rpm
Finally, upgrade the package glibc-devel with the following command:
rpm -Uvh --force ftp_path_to_filename
Where ftp_path_to_filename is the following:
glibc-devel-2.1.3-33.i386.rpm
************** If you are using Turbolinux Server6.0.5: ******************
Update the package glibc from our ftp server by running the following command:
rpm -Uvh --force ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-2.1.3-33.i386.rpm
Next, update the packages glibc-devel and glibc-profile from our ftp server by running the following command:
rpm -Uvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-devel-2.1.3-33.i386.rpm glibc-profile-2.1.3-33.i386.rpm
*******************************************************************************
The source RPM can be downloaded here:
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/glibc-2.1.3-33.src.rpm
**Note: You must rebuild and install the RPM if you choose to download and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE THE SECURITY HOLE.
Please verify the MD5 checksums of the updates before you install:
MD5 sum Package Name --------------------------------------------------------------------------- 985c3946d8b659ddc36c15428056be51 glibc-2.1.3-33.i386.rpm 115c757d2fd29d8ad6281e5bb96a08df glibc-locale-2.1.3-10.noarch.rpm 955fc79bddbf80918fe51810b2fd2045 glibc-devel-2.1.3-33.i386.rpm 61c21f8ce865de4ff319e162474bd4d5 glibc-profile-2.1.3-33.i386.rpm ada28c27fca1f259e1a4fee6686a5862 glibc-2.1.3-33.src.rpm ___________________________________________________________________________
These packages are GPG signed by Turbolinux for security. Our key is available here:
http://www.turbolinux.com/security/tlgpgkey.asc
To verify a package, use the following command:
rpm --checksig name_of_rpm
To examine only the md5sum, use the following command:
rpm --checksig --nogpg name_of_rpm
**Note: Checking GPG keys requires RPM 3.0 or higher.
___________________________________________________________________________
You can find more updates on our ftp server:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/
for TL6.0 Workstation and Server security updates Our webpage for security announcements:
http://www.turbolinux.com/security
If you want to report vulnerabilities, please contact:
security@turbolinux.com ___________________________________________________________________________
Subscribe to the Turbolinux Security Mailing lists:
TL-security - A moderated list for discussing security issues Turbolinux products.
Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security
TL-security-announce - An announce-only mailing list for security updates and alerts. Subscribe at:
http://www.turbolinux.com/mailman/listinfo/tl-security-announce -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: pgpenvelope 2.10.0 - http://pgpenvelope.sourceforge.net/
iD8DBQE68gfMcpw52/ZatwoRApDbAJ4hUat6yQekSRLW1CSxY3UKZAkNJwCdFmjR DC6Zs0vlRLHuiQiP/nU+gpw= =H78/ -----END PGP SIGNATURE-----
_______________________________________________ TL-Security-Announce mailing list TL-Security-Announce@www.turbolinux.com http://www.turbolinux.com/mailman/listinfo/tl-security-announce
|
|
|
|