LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Red Hat alert RHSA-2004:031-01 (symlink)



From:
    	      bugzilla@redhat.com


To:
    	      enterprise-watch-list@redhat.com


Subject:
    	      [RHSA-2004:031-01] Updated NetPBM packages fix multiple temporary file vulnerabilities


Date:
    	      Tue, 3 Feb 2004 03:29 -0500



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated NetPBM packages fix multiple temporary file vulnerabilities
Advisory ID:       RHSA-2004:031-01
Issue date:        2004-01-19
Updated on:        2004-01-22
Product:           Red Hat Enterprise Linux
Keywords:          symlink tmpfile tmp
Cross references:  
Obsoletes:         RHSA-2003:061
CVE Names:         CAN-2003-0924
- ---------------------------------------------------------------------

1. Topic:

Updated NetPBM packages are available that fix a number of temporary file
vulnerabilities in the netpbm libraries.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The netpbm package contains a library of functions that support
programs for handling various graphics file formats, including .pbm
(portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps),
.ppm (portable pixmaps), and others.

A number of temporary file bugs have been found in versions of NetPBM. 
These could make it possible for a local user to overwrite or create files
as a different user who happens to run one of the the vulnerable utilities. 
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0924 to this issue.

Users are advised to upgrade to the erratum packages, which contain patches
from Debian that correct these bugs.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL Certificate 
Errors, you need to install a version of the up2date client with an updated 
certificate.  The latest version of up2date is available from the Red Hat 
FTP site and may also be downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

113841 - CAN-2003-0924 netpbm temporary file vulnerabilities

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/netpbm-9.24-9.AS21.3.src.rpm

i386:
Available from Red Hat Network: netpbm-9.24-9.AS21.3.i386.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.3.i386.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.3.i386.rpm

ia64:
Available from Red Hat Network: netpbm-9.24-9.AS21.3.ia64.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.3.ia64.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.3.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/netpbm-9.24-9.AS21.3.src.rpm

ia64:
Available from Red Hat Network: netpbm-9.24-9.AS21.3.ia64.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.3.ia64.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.3.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/netpbm-9.24-9.AS21.3.src.rpm

i386:
Available from Red Hat Network: netpbm-9.24-9.AS21.3.i386.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.3.i386.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.3.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/netpbm-9.24-9.AS21.3.src.rpm

i386:
Available from Red Hat Network: netpbm-9.24-9.AS21.3.i386.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.3.i386.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.3.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/netpbm-9.24-11.30.1.src.rpm

i386:
Available from Red Hat Network: netpbm-9.24-11.30.1.i386.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.i386.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.i386.rpm

ia64:
Available from Red Hat Network: netpbm-9.24-11.30.1.ia64.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.ia64.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.ia64.rpm

ppc:
Available from Red Hat Network: netpbm-9.24-11.30.1.ppc.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.ppc.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.ppc.rpm

s390:
Available from Red Hat Network: netpbm-9.24-11.30.1.s390.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.s390.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.s390.rpm

s390x:
Available from Red Hat Network: netpbm-9.24-11.30.1.s390x.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.s390x.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.s390x.rpm

x86_64:
Available from Red Hat Network: netpbm-9.24-11.30.1.x86_64.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.x86_64.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/netpbm-9.24-11.30.1.src.rpm

i386:
Available from Red Hat Network: netpbm-9.24-11.30.1.i386.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.i386.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.i386.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/netpbm-9.24-11.30.1.src.rpm

i386:
Available from Red Hat Network: netpbm-9.24-11.30.1.i386.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.i386.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.i386.rpm

ia64:
Available from Red Hat Network: netpbm-9.24-11.30.1.ia64.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.ia64.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.ia64.rpm

x86_64:
Available from Red Hat Network: netpbm-9.24-11.30.1.x86_64.rpm
Available from Red Hat Network: netpbm-devel-9.24-11.30.1.x86_64.rpm
Available from Red Hat Network: netpbm-progs-9.24-11.30.1.x86_64.rpm



7. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------

8bbc9ff6c4b08893f2c03fc88bb23905 2.1AS/en/os/SRPMS/netpbm-9.24-9.AS21.3.src.rpm
f4c7109c7a376c4c202fb6279ffcc4e5 2.1AS/en/os/i386/netpbm-9.24-9.AS21.3.i386.rpm
f785e50afebe924800d21127e6b645b4 2.1AS/en/os/i386/netpbm-devel-9.24-9.AS21.3.i386.rpm
13fa445162e2e8494f9ad146af1ae434 2.1AS/en/os/i386/netpbm-progs-9.24-9.AS21.3.i386.rpm
45f86efa10aaa64db8fa3c408f7b9397 2.1AS/en/os/ia64/netpbm-9.24-9.AS21.3.ia64.rpm
12971730603f67369e01a65c23c4e931 2.1AS/en/os/ia64/netpbm-devel-9.24-9.AS21.3.ia64.rpm
5d26a76ce5f09e9d39551fdb1afa1d73 2.1AS/en/os/ia64/netpbm-progs-9.24-9.AS21.3.ia64.rpm
8bbc9ff6c4b08893f2c03fc88bb23905 2.1AW/en/os/SRPMS/netpbm-9.24-9.AS21.3.src.rpm
45f86efa10aaa64db8fa3c408f7b9397 2.1AW/en/os/ia64/netpbm-9.24-9.AS21.3.ia64.rpm
12971730603f67369e01a65c23c4e931 2.1AW/en/os/ia64/netpbm-devel-9.24-9.AS21.3.ia64.rpm
5d26a76ce5f09e9d39551fdb1afa1d73 2.1AW/en/os/ia64/netpbm-progs-9.24-9.AS21.3.ia64.rpm
8bbc9ff6c4b08893f2c03fc88bb23905 2.1ES/en/os/SRPMS/netpbm-9.24-9.AS21.3.src.rpm
f4c7109c7a376c4c202fb6279ffcc4e5 2.1ES/en/os/i386/netpbm-9.24-9.AS21.3.i386.rpm
f785e50afebe924800d21127e6b645b4 2.1ES/en/os/i386/netpbm-devel-9.24-9.AS21.3.i386.rpm
13fa445162e2e8494f9ad146af1ae434 2.1ES/en/os/i386/netpbm-progs-9.24-9.AS21.3.i386.rpm
8bbc9ff6c4b08893f2c03fc88bb23905 2.1WS/en/os/SRPMS/netpbm-9.24-9.AS21.3.src.rpm
f4c7109c7a376c4c202fb6279ffcc4e5 2.1WS/en/os/i386/netpbm-9.24-9.AS21.3.i386.rpm
f785e50afebe924800d21127e6b645b4 2.1WS/en/os/i386/netpbm-devel-9.24-9.AS21.3.i386.rpm
13fa445162e2e8494f9ad146af1ae434 2.1WS/en/os/i386/netpbm-progs-9.24-9.AS21.3.i386.rpm
b29c97494678db01c8887d94c3871c1d 3AS/en/os/SRPMS/netpbm-9.24-11.30.1.src.rpm
b3e56c4b52c47d7fbc46d0c936c7a8ac 3AS/en/os/i386/netpbm-9.24-11.30.1.i386.rpm
61f01cc1fa52359932542ae05ff58eac 3AS/en/os/i386/netpbm-devel-9.24-11.30.1.i386.rpm
8248d6d1bf5869576d4d2f3391289824 3AS/en/os/i386/netpbm-progs-9.24-11.30.1.i386.rpm
9af2434d6aeab77499c790dd70323865 3AS/en/os/ia64/netpbm-9.24-11.30.1.ia64.rpm
c57a05a0c29810cd94f24084c0142785 3AS/en/os/ia64/netpbm-devel-9.24-11.30.1.ia64.rpm
fae85f2380940047e5ef08bef7e946c3 3AS/en/os/ia64/netpbm-progs-9.24-11.30.1.ia64.rpm
98f39fd8b05e12c7ff97ab371c917d4c 3AS/en/os/ppc/netpbm-9.24-11.30.1.ppc.rpm
795e390b200901e4a31622d993287a1b 3AS/en/os/ppc/netpbm-devel-9.24-11.30.1.ppc.rpm
dcc87bac4fa4a1c24c8866dedc3b24cd 3AS/en/os/ppc/netpbm-progs-9.24-11.30.1.ppc.rpm
d8c1b086406545bdb445ad8351d32064 3AS/en/os/s390/netpbm-9.24-11.30.1.s390.rpm
9aeb4fc506d5f6ecabbda9d53768bfbf 3AS/en/os/s390/netpbm-devel-9.24-11.30.1.s390.rpm
72b0e00eff5ab8c9b12d024ccec8b4ef 3AS/en/os/s390/netpbm-progs-9.24-11.30.1.s390.rpm
2da0b2f625e1183e9338078a9e157119 3AS/en/os/s390x/netpbm-9.24-11.30.1.s390x.rpm
25fb541d7d744c0261ee8ff4f8a1f465 3AS/en/os/s390x/netpbm-devel-9.24-11.30.1.s390x.rpm
b6b4abb4d5b430c71031bb83de31aa7f 3AS/en/os/s390x/netpbm-progs-9.24-11.30.1.s390x.rpm
3cdce35a97c66ca2a89dbe7e82eaaf7f 3AS/en/os/x86_64/netpbm-9.24-11.30.1.x86_64.rpm
7e988b8c649b9099ab4dd740a20a044a 3AS/en/os/x86_64/netpbm-devel-9.24-11.30.1.x86_64.rpm
0af149db153c4c5dfc6aa3bdeb00297d 3AS/en/os/x86_64/netpbm-progs-9.24-11.30.1.x86_64.rpm
b29c97494678db01c8887d94c3871c1d 3ES/en/os/SRPMS/netpbm-9.24-11.30.1.src.rpm
b3e56c4b52c47d7fbc46d0c936c7a8ac 3ES/en/os/i386/netpbm-9.24-11.30.1.i386.rpm
61f01cc1fa52359932542ae05ff58eac 3ES/en/os/i386/netpbm-devel-9.24-11.30.1.i386.rpm
8248d6d1bf5869576d4d2f3391289824 3ES/en/os/i386/netpbm-progs-9.24-11.30.1.i386.rpm
b29c97494678db01c8887d94c3871c1d 3WS/en/os/SRPMS/netpbm-9.24-11.30.1.src.rpm
b3e56c4b52c47d7fbc46d0c936c7a8ac 3WS/en/os/i386/netpbm-9.24-11.30.1.i386.rpm
61f01cc1fa52359932542ae05ff58eac 3WS/en/os/i386/netpbm-devel-9.24-11.30.1.i386.rpm
8248d6d1bf5869576d4d2f3391289824 3WS/en/os/i386/netpbm-progs-9.24-11.30.1.i386.rpm
9af2434d6aeab77499c790dd70323865 3WS/en/os/ia64/netpbm-9.24-11.30.1.ia64.rpm
c57a05a0c29810cd94f24084c0142785 3WS/en/os/ia64/netpbm-devel-9.24-11.30.1.ia64.rpm
fae85f2380940047e5ef08bef7e946c3 3WS/en/os/ia64/netpbm-progs-9.24-11.30.1.ia64.rpm
3cdce35a97c66ca2a89dbe7e82eaaf7f 3WS/en/os/x86_64/netpbm-9.24-11.30.1.x86_64.rpm
7e988b8c649b9099ab4dd740a20a044a 3WS/en/os/x86_64/netpbm-devel-9.24-11.30.1.x86_64.rpm
0af149db153c4c5dfc6aa3bdeb00297d 3WS/en/os/x86_64/netpbm-progs-9.24-11.30.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0924

9. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAH1vtXlSAg2UNWIIRAldNAJ9oLER6qhRElXWIsmKYg5wgWTAtxQCdF/Au
bnrZMy+aKCjrQMF5gjJ6kVI=
=iLXO
-----END PGP SIGNATURE-----

-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds