Sicherheit: Unsichere Verwendung temporärer Dateien in gnucash

Lesezeichen hinzufügen

This is a multi-part message in MIME format...

------------=_1172071992-8862-57

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:046
http://www.mandriva.com/security/
_______________________________________________________________________

Package : gnucash
Date : February 21, 2007
Affected: 2007.0
_______________________________________________________________________

Problem Description:

Gnucash 2.0.4 and earlier allows local users to overwrite arbitrary
files via a symlink attack on the (1) gnucash.trace, (2) qof.trace,
and (3) qof.trace.[PID] temporary files.

Updated package have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0007
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
a8b619c62b08ffe1a0a94123450c9182
2007.0/i586/gnucash-2.0.1-1.1mdv2007.0.i586.rpm
4670eabd1f6b6ac60d6c0fa6bbf86fae
2007.0/i586/gnucash-hbci-2.0.1-1.1mdv2007.0.i586.rpm
071c5a28526cc29b99d47485d95b5115
2007.0/i586/gnucash-ofx-2.0.1-1.1mdv2007.0.i586.rpm
fa58ac7785e11552ad48bc35427ee689
2007.0/i586/gnucash-sql-2.0.1-1.1mdv2007.0.i586.rpm
3f8f689dd645e73822bd5baa6ba4db1f
2007.0/i586/libgnucash0-2.0.1-1.1mdv2007.0.i586.rpm
336f63153412b508077cc655d6ce9e76
2007.0/i586/libgnucash0-devel-2.0.1-1.1mdv2007.0.i586.rpm
ae715153145554dab009d40e68148ce7
2007.0/SRPMS/gnucash-2.0.1-1.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
5e30146412acbec8657a8f4590146279
2007.0/x86_64/gnucash-2.0.1-1.1mdv2007.0.x86_64.rpm
725b0c74c9335e4698e634ebc34788da
2007.0/x86_64/gnucash-hbci-2.0.1-1.1mdv2007.0.x86_64.rpm
15c729b3a02cef72a3b1e019a2a17415
2007.0/x86_64/gnucash-ofx-2.0.1-1.1mdv2007.0.x86_64.rpm
00724c0891a6e67973c6c9bce8dc25a3
2007.0/x86_64/gnucash-sql-2.0.1-1.1mdv2007.0.x86_64.rpm
db2b23ba27b6651b0452cfa7463b8e4e
2007.0/x86_64/lib64gnucash0-2.0.1-1.1mdv2007.0.x86_64.rpm
c97bf9c1d352b89f59572c1762fd5930
2007.0/x86_64/lib64gnucash0-devel-2.0.1-1.1mdv2007.0.x86_64.rpm
ae715153145554dab009d40e68148ce7
2007.0/SRPMS/gnucash-2.0.1-1.1mdv2007.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF3DLMmqjQ0CJFipgRAt2RAKCCzmFjfyOFGghSbGds6VJADW06SgCeOBxk
83o9HUJXkIavyn7zZX2Re+w=
=4LLz
-----END PGP SIGNATURE-----

------------=_1172071992-8862-57
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1172071992-8862-57--