Unsichere Verwendung von /tmp in python
ID: | MDKSA-2002:082-1 |
Distribution: | Mandrake |
Plattformen: | Mandrake 9.0 |
Datum: | Di, 10. Dezember 2002, 12:00 |
Referenzen: | Keine Angabe |
Applikationen: | Python |
Originalnachricht |
|
________________________________________________________________________ Mandrake Linux Security Update Advisory ________________________________________________________________________ Package name: python Advisory ID: MDKSA-2002:082-1 Date: December 9th, 2002 Original Advisory Date: November 25th, 2002 Affected versions: 9.0 ________________________________________________________________________ Problem Description: A vulnerability was discovered in python by Zack Weinberg in the way that the execvpe() method from the os.py module uses a temporary file name. The file is created in an unsafe manner and execvpe() tries to execute it, which can be used by a local attacker to execute arbitrary code with the privilege of the user running the python code that is using this method. Update: The previously released packages for 9.0 had an incorrect dependency on libdb.so.2 instead of libdb.so.3. This update corrects that problem. ________________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119 http://mail.python.org/pipermail/python-dev/2002-August/027223.html http://python.org/sf/590294 ________________________________________________________________________ Updated Packages: Mandrake Linux 9.0: eda5ce8842e16db410497487665a926a 9.0/RPMS/libpython2.2-2.2.1-14.2mdk.i586.rpm c85d22c38bf31f75ebdfb782a3ff0975 9.0/RPMS/libpython2.2-devel-2.2.1-14.2mdk.i586.rpm 06970738837e1a6355bd0555287706bb 9.0/RPMS/python-2.2.1-14.2mdk.i586.rpm efe32dfe6f8fb692916e3a7b3550616b 9.0/RPMS/python-base-2.2.1-14.2mdk.i586.rpm 6b7b68b3df2c6d35ed3ddcd279f63a65 9.0/RPMS/python-docs-2.2.1-14.2mdk.i586.rpm 1febf082525ee0816c9453d576938fac 9.0/RPMS/tkinter-2.2.1-14.2mdk.i586.rpm 1c07dce9e92f07203bf5aa783869b959 9.0/SRPMS/python-2.2.1-14.2mdk.src.rpm ________________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ________________________________________________________________________ To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig |