User: Password:
Subscribe / Log in / New account

Eridani alert ERISA-2002:032 (util-linux)

From:  Eridani Star System <>
Subject:  [Eridani-Announce] ERISA-2002:032 - util-linux
Date:  Mon, 29 Jul 2002 20:27:51 +0100 (BST)

========================================================================= ERIDANI LINUX - SECURITY ANNOUNCEMENT ========================================================================= Package: util-linux Summary: util-linux contains a locally exploitable vulnerability Date: 2002-07-29 ID: ERISA-2002:032 ========================================================================= Problem description: Util-linux contains many system utilities that are required for the proper functionality of a Linux system. One of these, chfn, allows users to modify certain pieces of information in the system password file, /etc/passwd. In order to be able to do this, chfn is installed setuid root. A vulnerability has been found in this utility that can allow a carefully crafted attack to exploit a file locking race, to allow changes to be made to /etc/passwd. This requires that the password file be over 4K in size and the attacker's entry not be in the last 4K of the file. ------------------------------------------------------------------------- Updated packages: b51998143e71f929a9539489c146ad5c util-linux-2.10f-8.src.rpm aa86bc0024a5c5825845e53aa503ffc5 util-linux-2.10f-8.i386.rpm ------------------------------------------------------------------------- References: CAN-2002-0638 ========================================================================= Packages available from or by HTTP from Packages are signed with our GNU GPG key, also on our FTP site. Users of releases of Eridani Linux prior to 6.3 are advised to download the source RPM and rebuild for their system. Copyright (C)2002 Eridani Star System -- Michael "Soruk" McConnell Eridani Linux -- The Most Up-to-Date Red Hat-based Linux CDROMs Available Email: -- Also Debian, Slackware, Mandrake and more... _______________________________________________ Eridani-Announce mailing list To be removed from this list email requesting removal.

(Log in to post comments)

Affected versions?

Posted Jul 29, 2002 20:55 UTC (Mon) by Manny_Calavera (guest, #2846) [Link]

Is just 2.10 affected newer Versions (i.e. 2.11), too?

see you

Affected versions?

Posted Jul 29, 2002 20:56 UTC (Mon) by Manny_Calavera (guest, #2846) [Link]

There's missing an »or«.

See you,
- Manny -

Affected versions?

Posted Jul 29, 2002 23:19 UTC (Mon) by Soruk (guest, #2722) [Link]

2.11 is affected also. Certainly Red Hat have released updated packages of 2.11... if you don't run Red Hat it might still be worth getting the source package and looking at the patches to see what they've done to it.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds