security advisorydebiantemporary file
Tatsuya Kinoshita discovered that IM, which contains interfacecommands and Perl libraries for E-mail and NetNews, creates temporaryfiles insecurely.. -------------------------------------------------------------------------- Debian Security Advisory DSA 202-1 This email address is being protected from spambots. You need JavaScript enabled to view it. Debian -- Security Information Martin Schulze December 3rd, 2002 Debian -- Debian security FAQ -------------------------------------------------------------------------- Package : im Vulnerability : temporary files Problem-Type : local Debian-specific: no Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely. 1. The impwagent program creates a temporary directory in an insecure manner in /tmp using predictable directory names without checking the return code of mkdir, so it's possible to seize a permission of the temporary directory by local access as another user. 2. The immknmz program creates a temporary file in an insecure manner in /tmp using a predictable filename, so an attacker with local access can easily create and overwrite files as another user. These problems have been fixed in version 141-18.1 for the current stable distribution (woody), in version 133-2.2 of the old stable distribution (potato) and in version 141-20 for the unstable distribution (sid). We recommend that you upgrade your IM package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato --------------------------------- Source archives: Size/MD5 checksum: 513 da21bcdcce62f783b15750469140595e Size/MD5 checksum: 6929 0669a546380d3e2d702f1ecd3ef6fd7b Size/MD5 checksum: 205055 df14f9a251a8d47fc045b6303090be47 Architecture independent components: Size/MD5 checksum: 217576 15a164603f65eb355f97515aaa97340a Debian GNU/Linux 3.0 alias woody -------------------------------- Source archives: Size/MD5 checksum: 568 86a87c81e159d54359eeac2c3c383ffb Size/MD5 checksum: 14110 2cb6b858ccda19f96b3c5315a48a41c0 Size/MD5 checksum: 207576 9ecd2d6009048f1fecbc7b2e0e8cd489 Architecture independent components: Size/MD5 checksum: 217416 41a6ad3bc0b0591ba180dd5d646387f9 These files will probably be moved into the stable distribution on its next revision. Survey on the use of Debian GNU/Linux 2.2 alias potato: Survey on the use of Debian 2.2 (potato) --------------------------------------------------------------------------------- For apt-get: deb Debian -- Security Information stable/updates main For dpkg-ftp: dists/stable/updates/main Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. Package info: `apt-cache show ' and https://www.debian.org/distrib/packages . Debian Security Advisory DSA 202-1 warns of critical temporary file risks in IM package; users should upgrade immediately.. Debian Security Update, Temporary File Risk, IM Package Fix. . Severity: Critical. LinuxSecurity.com Team
Dec 03, 2002
•Critical
Debian
Refine advisories
