Sicherheit: Überschreiben von Dateien in wget

Lesezeichen hinzufügen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2005-76
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------

Original released date: 06 Jul 2005
Last revised: 03 Aug 2005

Package: wget

Summary: Symlink attack in wget

More information:
Wget is a file retrieval utility which can use either the HTTP or FTP
protocols.

A vulnerability in the manner in which wget handles temporary files
could allow local users to overwrite arbitrary files via a symlink attack.

Impact:
This vulerability could allow attackers to overwrite arbitrary files
via a symbolic link attack.

Affected Products:
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux Multimedia
- Turbolinux Personal
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation

Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F...,
Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal]

# turbopkg
or
# zabom -u wget

[other]
# turbopkg
or
# zabom update wget
---------------------------------------------

<Turbolinux Appliance Server 1.0 Hosting Edition>

Source Packages
Size: MD5

wget-1.10-1.src.rpm
1605173 0d51aec5a055b7ef927a2a269cdbaae9

Binary Packages
Size: MD5

wget-1.10-1.i586.rpm
401104 ec716b69602d475cc88037068b27047f

<Turbolinux Appliance Server 1.0 Workgroup Edition>

Source Packages
Size: MD5

wget-1.10-1.src.rpm
1605173 a0a5d37c826acc1bf0d5fc5021471ea0

Binary Packages
Size: MD5

wget-1.10-1.i586.rpm
401653 7a16d5f8b4449b9adb4fc44344db149e

<Turbolinux 10 Server>

Source Packages
Size: MD5

wget-1.10-1.src.rpm
1605173 a2e2acf5d37d26cb8d20fb456ea8b2e6

Binary Packages
Size: MD5

wget-1.10-1.i586.rpm
404540 b55a7847d740e3ec700565bb729dfcbc

<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home>

Source Packages
Size: MD5

wget-1.10-1.src.rpm
1605173 6f84b0b6df89d0c7e7351e7e1cdf029f

Binary Packages
Size: MD5

wget-1.10-1.i586.rpm
404962 de60c95c538b3623d622200c93dc46db

<Turbolinux 8 Server>

Source Packages
Size: MD5

wget-1.10-1.src.rpm
1605173 913495954c9c5004ebbe615ace9cae95

Binary Packages
Size: MD5

wget-1.10-1.i586.rpm
401524 4b1dd825eadcfd1acc9fc46e6caf258a

<Turbolinux 8 Workstation>

Source Packages
Size: MD5

wget-1.10-1.src.rpm
1605173 45b2cbbcac7f2474409a80d21dcde102

Binary Packages
Size: MD5

wget-1.10-1.i586.rpm
401530 cde4ac044ef3f542c171fa2e203aab82

<Turbolinux 7 Server>

Source Packages
Size: MD5

wget-1.10-1.src.rpm
1605173 42e357b46085ad9d6e9688a06ecbffb7

Binary Packages
Size: MD5

wget-1.10-1.i586.rpm
398818 3ef4bf1218307910b8cada6b909ce477

<Turbolinux 7 Workstation>

Source Packages
Size: MD5

wget-1.10-1.src.rpm
1605173 924e2045adfe334db0cf64032a422b7e

Binary Packages
Size: MD5

wget-1.10-1.i586.rpm
398598 0b41a395a80f97d8e7749122b5fb52c8

References:

CVE
[CAN-2004-2014]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2014

--------------------------------------------------------------------------
Revision History
06 Jul 2005 Initial release
03 Aug 2005 Added Turbolinux Multimedia, Turbolinux Personal to
"Affected Products"
--------------------------------------------------------------------------

Copyright(C) 2005 Turbolinux, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC8G6VK0LzjOqIJMwRAm0LAJ9vNK6DqMf+mDioI60vTQ7np/dEyQCfWbXZ
YhKxI4x7SXRpMW96NzcGDL8=
=3aDj
-----END PGP SIGNATURE-----