Fedora: 2004:108 Moderate: Vulnerability in Utempter Symlink Security

Utempter is a utility which allows some non-privileged programs to

have required root access without compromising system

security. Utempter accomplishes this feat by acting as a buffer

between root and the programs.

Topic: An updated utempter package that fixes a potential symlink vulnerability is now available.

Problem Description: Utempter is a utility that allows terminal applications such as xterm and screen to update utmp and wtmp without requiring root privileges.

Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as '/../'. In combination with an application that trusts the utmp or wtmp files, this could allow a local attacker the ability to overwrite privileged files using a symlink.

Users should upgrade to this new version of utempter, which fixes this vulnerability. * Tue Apr 20 2004 Mike A. Harris <mharris@redhat.com> 0.5.5-4

- Build 0.5.5-1 version as 0.5.5-1.2.1EL.0 for RHEL 2.1 erratum - Build 0.5.5-1 version as 0.5.5-1.3EL.0 for RHEL 3 erratum - Build 0.5.5-1 version as 0.5.5-2.RHL9.0 for RHL 9 erratum - Build 0.5.5-1 version as 0.5.5-3.FC1.0 for Fedora Core 1 erratum - Build 0.5.5-1 version as 0.5.5-4 for Fed...