LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for January 8, 2009

Btrfs aims for the mainline

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Eridani alert ERISA-2002:032 (util-linux)



From:
    	      Eridani Star System <linux@eridani.co.uk>


To:
    	      eridani-announce@eridani.co.uk


Subject:
    	      [Eridani-Announce] ERISA-2002:032 - util-linux


Date:
    	      Mon, 29 Jul 2002 20:27:51 +0100 (BST)



=========================================================================
		ERIDANI LINUX - SECURITY ANNOUNCEMENT
=========================================================================

Package:	util-linux
Summary:	util-linux contains a locally exploitable vulnerability
Date:		2002-07-29
ID:		ERISA-2002:032

=========================================================================

Problem description:

  Util-linux contains many system utilities that are required for the
  proper functionality of a Linux system.  One of these, chfn, allows
  users to modify certain pieces of information in the system password
  file, /etc/passwd.  In order to be able to do this, chfn is installed
  setuid root.

  A vulnerability has been found in this utility that can allow a carefully
  crafted attack to exploit a file locking race, to allow changes to be
  made to /etc/passwd.  This requires that the password file be over 4K in
  size and the attacker's entry not be in the last 4K of the file.

-------------------------------------------------------------------------
Updated packages:

  b51998143e71f929a9539489c146ad5c  util-linux-2.10f-8.src.rpm

  aa86bc0024a5c5825845e53aa503ffc5  util-linux-2.10f-8.i386.rpm

-------------------------------------------------------------------------
References:

  CAN-2002-0638

=========================================================================

Packages available from ftp://ftp.eridani.co.uk/pub/Aeryn/
or by HTTP from http://ftp.eridani.co.uk/

Packages are signed with our GNU GPG key, also on our FTP site.

Users of releases of Eridani Linux prior to 6.3 are advised to download
the source RPM and rebuild for their system.

Copyright (C)2002 Eridani Star System

-- Michael "Soruk" McConnell                       http://www.eridani.co.uk
Eridani Linux  --  The Most Up-to-Date Red Hat-based Linux CDROMs Available
Email: linux@eridani.co.uk -- Also Debian, Slackware, Mandrake and more...

_______________________________________________
Eridani-Announce mailing list
To be removed from this list email linux@eridani.co.uk requesting removal.
(Log in to post comments)

Affected versions?

Posted Jul 29, 2002 20:55 UTC (Mon) by Manny_Calavera (guest, #2846) [Link]

Is just 2.10 affected newer Versions (i.e. 2.11), too?

see you

Affected versions?

Posted Jul 29, 2002 20:56 UTC (Mon) by Manny_Calavera (guest, #2846) [Link]

There's missing an »or«.

See you,
- Manny -

Affected versions?

Posted Jul 29, 2002 23:19 UTC (Mon) by Soruk (subscriber, #2722) [Link]

2.11 is affected also. Certainly Red Hat have released updated packages of 2.11... if you don't run Red Hat it might still be worth getting the source package and looking at the patches to see what they've done to it.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds