LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Eridani alert ERISA-2002:037 (tcltk expect)



From:
    	      Eridani Star System <linux@eridani.co.uk>


To:
    	      eridani-announce@eridani.co.uk


Subject:
    	      [Eridani-Announce] ERISA-2002:037 - tcltk


Date:
    	      Wed, 14 Aug 2002 08:55:55 +0100 (BST)



=========================================================================
		ERIDANI LINUX - SECURITY ANNOUNCEMENT
=========================================================================

Package:	tcltk
Summary:	Library search vulnerability
Date:		2002-08-14
ID:		ERISA-2002:037

=========================================================================

Problem description:

  The Tcl/Tk package set comprises of a number of applications:
  tcl, tclX, itcl, tk, expect.

  Versions of expect prior to 5.32 searched /var/tmp for its libraries before
  searching other directories.  A user could write a Trojan library that
  would give him root privileges when root runs any expect script (notably
  mkpasswd).

  The Tcl/Tk packages searched the current directory for its libraries before
  searching other paths.  This could be exploited to run arbitrary code by
  writing a Trojan library that is under a user-controlled directory.

-------------------------------------------------------------------------
Updated packages:

  d487ca6cb4600cd9898cfa6c11dab7e7  tcltk-8.3.3-70.src.rpm

  472aa936740f7634c2de0a548bd10bc5  expect-5.32.2-70.i386.rpm
  5a358fa170df557553570e4a07d34e0d  itcl-3.2-70.i386.rpm
  81efc1e7cfd815a61d221659a649fc22  tcl-8.3.3-70.i386.rpm
  4e267b338422670d452bb2f7f225ab60  tcllib-1.0-70.i386.rpm
  f744408e8cc8e1e1733e0fb9e055fb39  tclx-8.3-70.i386.rpm
  76a1b3dc9a3d5547d6e7d94236975b79  tix-8.2.0b1-70.i386.rpm
  9a39e20864dc7e00dc8c24d2343be6ad  tk-8.3.3-70.i386.rpm

-------------------------------------------------------------------------
References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1374
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1375

=========================================================================

Packages available from ftp://ftp.eridani.co.uk/pub/Aeryn/
or by HTTP from http://ftp.eridani.co.uk/

Packages are signed with our GNU GPG key, also on our FTP site.

Users of releases of Eridani Linux prior to 6.3 are advised to download
the source RPM and rebuild for their system.

Copyright (C)2002 Eridani Star System

-- Michael "Soruk" McConnell                       http://www.eridani.co.uk
Eridani Linux  --  The Most Up-to-Date Red Hat-based Linux CDROMs Available
Email: linux@eridani.co.uk -- Also Debian, Slackware, Mandrake and more...

_______________________________________________
Eridani-Announce mailing list
To be removed from this list email linux@eridani.co.uk requesting removal.
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds