-------------------------------------------------------------------------- Debian Security Advisory DSA 256-1 security@debian.org http://www.debian.org/security/ Martin Schulze February 28th, 2003 Debian -- Debian security FAQ -------------------------------------------------------------------------- Package : mhc Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no It has been discovered that adb2mhc from the mhc-utils package. The default temporary directory uses a predictable name. This adds a vulnerability that allows a local attacker to overwrite arbitrary files the users has write permissions for. For the stable distribution (woody) this problem has been fixed in version 0.25+20010625-7.1. For the old stable distribution (potato) does not contain mhc packages. For the unstable distribution (sid) this problem has been fixed in version 0.25+20030224-1. We recommend that you upgrade your mhc-utils packages. Upgrade Instructions -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody -------------------------------- Source archives: Size/MD5 checksum: 617 fc3098663e051e20fed88ee8e7a7bfbd Size/MD5 checksum: 14493 ac68647bb9aed85ce74037b5eb306b54 Size/MD5 checksum: 208318 2233746036919a421f7f291625761823 Architecture independent components: Size/MD5 checksum: 147808 c5f128fe3d1d2a9b643874f78d40a5ab Alpha architecture: Size/MD5 checksum: 91336 07930235dbf263b9b87e89b28725e1ed ARM architecture: Size/MD5 checksum: 89882 95393dceb844b1e1b5c7abe8e1391ed9 Intel IA-32 architecture: Size/MD5 checksum: 89500 95b17072c6f272a7cf3613eaec4daf94 Intel IA-64 architecture: Size/MD5 checksum: 96796 21fed065479b00474369ffa64cbd2537 HP Precision architecture: Size/MD5 checksum: 92072 56854ee04eadb0e6cf6dea106d54ccdf Motorola 680x0 architecture: Size/MD5 checksum: 89842 b8ea321b3b85af7f6ccaa1a73a1ad3d3 Big endian MIPS architecture: Size/MD5 checksum: 89846 26cc8298c8012004f4a7d3561b8c0a76 Little endian MIPS architecture: Size/MD5 checksum: 89738 3f224d8ed5bfc46311d3b725849d8d6f PowerPC architecture: Size/MD5 checksum: 89820 05aced4ba0ba537d8de38339b5a44f08 IBM S/390 architecture: Size/MD5 checksum: 90426 ed10fcd3f89b6fbd9a40b52ead00df17 Sun Sparc architecture: Size/MD5 checksum: 90140 53a151508170f3ca559a093f6331c357 These files will probably be moved into the stable distribution on its next revision. --------------------------------------------------------------------------------- For apt-get: deb Debian -- Security Information stable/updates main For dpkg-ftp: dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show' and http://packages.debian.org/
Debian: mhc insecure temporary file vulnerability
February 28, 2003
There is an insecure tmp file vulnerability in adb2mhc from the mhc-utils package.
Summary
It has been discovered that adb2mhc from the mhc-utils package. The
default temporary directory uses a predictable name. This adds a
vulnerability that allows a local attacker to overwrite arbitrary
files the users has write permissions for.
For the stable distribution (woody) this problem has been
fixed in version 0.25+20010625-7.1.
For the old stable distribution (potato) does not contain mhc
packages.
For the unstable distribution (sid) this problem has been fixed in
version 0.25+20030224-1.
We recommend that you upgrade your mhc-utils packages.
Upgrade Instructions
--------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
--------------------------------
Source archives:
Size/MD5 checksum: 617 fc3098663e051e20fed88ee8e7a7bfbd
Size/MD5 checksum: 14493 ac68647bb9aed85ce74037b5eb306b54
Size/MD5 checksum: 208318 2233746036919a421f7f291625761823
Architecture independent components:
Size/MD5 checksum: 147808 c5f128fe3d1d2a9b643874f78d40a5ab
Alpha architecture:
Size/MD5 checksum: 91336 07930235dbf263b9b87e89b28725e1ed
ARM architecture:
Size/MD5 checksum: 89882 95393dceb844b1e1b5c7abe8e1391ed9
Intel IA-32 architecture:
Size/MD5 checksum: 89500 95b17072c6f272a7cf3613eaec4daf94
Intel IA-64 architecture:
Size/MD5 checksum: 96796 21fed065479b00474369ffa64cbd2537
HP Precision architecture:
Size/MD5 checksum: 92072 56854ee04eadb0e6cf6dea106d54ccdf
Motorola 680x0 architecture:
Size/MD5 checksum: 89842 b8ea321b3b85af7f6ccaa1a73a1ad3d3
Big endian MIPS architecture:
Size/MD5 checksum: 89846 26cc8298c8012004f4a7d3561b8c0a76
Little endian MIPS architecture:
Size/MD5 checksum: 89738 3f224d8ed5bfc46311d3b725849d8d6f
PowerPC architecture:
Size/MD5 checksum: 89820 05aced4ba0ba537d8de38339b5a44f08
IBM S/390 architecture:
Size/MD5 checksum: 90426 ed10fcd3f89b6fbd9a40b52ead00df17
Sun Sparc architecture:
Size/MD5 checksum: 90140 53a151508170f3ca559a093f6331c357
These files will probably be moved into the stable distribution on
its next revision.
Severity
Package : mhc
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific: no
News
HOWTOs
Features
About Us
Powered By
