|
----- Original Message ----- From: "Conectiva Updates" <secure@conectiva.com.br> To: <conectiva-updates@papaleguas.conectiva.com.br>; <lwn@lwn.net>; <bugtraq@securityfocus.com>; <security-alerts@linuxsecurity.com>; <linsec@lists.seifried.org> Sent: Monday, April 07, 2003 2:25 PM Subject: [CLA-2003:620] Conectiva Security Announcement - man > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ -- > CONECTIVA LINUX SECURITY ANNOUNCEMENT > - ------------------------------------------------------------------------ -- > > PACKAGE : man > SUMMARY : Local vulnerability > DATE : 2003-04-07 19:22:00 > ID : CLA-2003:620 > RELEVANT > RELEASES : 6.0, 7.0, 8 > > - ------------------------------------------------------------------------ - > > DESCRIPTION > The man package, which includes the utilities man, apropos, and > whatis is used to read most of the documentation available on a Linux > system. > > Jack Lloyd found[1] a local vulnerability in the man utility. Because > of a problem with a value returned by the my_xsprintf() function, man > could try to execute a program called "unsafe" when reading a manpage > file with certain characteristics. If an attacker can put a malicious > executable file called "unsafe" in the system PATH and let a user > open a specially created manpage, it could run arbitrary commands > with the privileges of this user. > > > SOLUTION > All users of the "man" package should upgrade. > > > REFERENCES: > 1.http://www.securityfocus.com/archive/1/314700 > > > UPDATED PACKAGES > ftp://atualizacoes.conectiva.com.br/6.0/RPMS/man-1.5l-1U60_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/man-1.5l-1U60_1cl.src.rpm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/man-1.5l-1U70_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/man-1.5l-1U70_1cl.src.rpm > ftp://atualizacoes.conectiva.com.br/8/RPMS/man-1.5l-1U80_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/8/SRPMS/man-1.5l-1U80_1cl.src.rpm > > > ADDITIONAL INSTRUCTIONS > The apt tool can be used to perform RPM packages upgrades: > > - run: apt-get update > - after that, execute: apt-get upgrade > > Detailed instructions reagarding the use of apt and upgrade examples > can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en > > - ------------------------------------------------------------------------ - > All packages are signed with Conectiva's GPG key. The key and instructions > on how to import it can be found at > http://distro.conectiva.com.br/seguranca/chave/?idioma=en > Instructions on how to check the signatures of the RPM packages can be > found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en > > - ------------------------------------------------------------------------ - > All our advisories and generic update instructions can be viewed at > http://distro.conectiva.com.br/atualizacoes/?idioma=en > > - ------------------------------------------------------------------------ - > Copyright 2003 (c) Conectiva Inc. > http://www.conectiva.com > > - ------------------------------------------------------------------------ - > subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br > unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE+kfrW42jd0JmAcZARAhvvAKDBq7XJrgCvZsbTU+qJgkTHG6BRVACeInKP > 2nGTlhBoOi5LvoOl8sOHWso= > =WOKC > -----END PGP SIGNATURE----- >