drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Unsichere Verwendung von /tmp in tcsh
Name: |
Unsichere Verwendung von /tmp in tcsh
|
|
ID: |
CSSA-2000-043.0 |
|
Distribution: |
Caldera |
|
Plattformen: |
Caldera eDesktop 2.4, Caldera Desktop 2.3, Caldera eBuilder, Caldera eServer 2.3 |
|
Datum: |
Mi, 6. Dezember 2000, 12:00 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
tcsh |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
______________________________________________________________________________ Caldera Systems, Inc. Security Advisory
Subject: unsecure temp files in tcsh Advisory number: CSSA-2000-043.0 Issue date: 2000 December, 1 Cross reference: ______________________________________________________________________________
1. Problem Description
When evaluating a so-called "here script", tcsh writes the contents of that script to a temporary file, which is created insecurely. Symlink attacks can be used to make tcsh overwrite arbitrary files owned by the invoking user.
2. Vulnerable Versions
System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 All packages previous to tcsh-6.10.00-2
OpenLinux eServer 2.3 All packages previous to and OpenLinux eBuilder tcsh-6.10.00-2
OpenLinux eDesktop 2.4 All packages previous to tcsh-6.10.00-2
3. Solution
Workaround:
none
The proper solution is to upgrade to the fixed packages
4. OpenLinux Desktop 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
9b89b9670997f3352f2e4c8a436db7ff RPMS/tcsh-6.10.00-2.i386.rpm b917e204011a7df41b0bcdfb3d3669eb RPMS/tcsh-doc-html-6.10.00-2.i386.rpm a91cc5ffe8dfe85de3f13b964c514c2f SRPMS/tcsh-6.10.00-2.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -q tcsh-doc-html && rpm -e tcsh-doc-html rpm -Uhv tcsh-*.i386.rpm
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
93f84f61debebe75f984135f9a72a32a RPMS/tcsh-6.10.00-2.i386.rpm 44019349df20160c209a3f111f9880d3 RPMS/tcsh-doc-html-6.10.00-2.i386.rpm a91cc5ffe8dfe85de3f13b964c514c2f SRPMS/tcsh-6.10.00-2.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -q tcsh-doc-html && rpm -e tcsh-doc-html rpm -Uhv tcsh-*.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
93f84f61debebe75f984135f9a72a32a RPMS/tcsh-6.10.00-2.i386.rpm 44019349df20160c209a3f111f9880d3 RPMS/tcsh-doc-html-6.10.00-2.i386.rpm a91cc5ffe8dfe85de3f13b964c514c2f SRPMS/tcsh-6.10.00-2.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -q tcsh-doc-html && rpm -e tcsh-doc-html rpm -Uhv tcsh-*.i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 8134.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE6K6oh18sy83A/qfwRAsa+AKCyWTacAC7btAAo5dRcp5khv37k9QCgw67k WZrAChXCsMxQHrwc83wxkNo= =tE1u -----END PGP SIGNATURE-----
|
|
|
|