May 2005
Mandriva - Five Update Advisories
ID: 00423
Ref: 392/2005
Date: 19 May 2005:15:47:39
Version: 1
Title: Mandriva - Five Update Advisories
Abstract:
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva
Title
=====
Mandriva - Five Update Advisories:
1. Updated rpmdrake packages fix bug with mdkonline apple [MDKA-2005:027]
2. Updated cdrdao packages fix local root vulnerability [MDKSA-2005:089]
3. Updated nasm packages fix vulnerability [MDKSA-2005:090]
4. Updated bzip2 packages fix multiple vulnerabilities [MDKSA-2005:091]
5. Updated gzip packages fix several vulnerabilities [MDKSA-2005:092]
Detail
======
Update advisory summaries:
1. A bug in rpmdrake prevented it from showing the reason for an update
when it was invoked by the mdkonline applet. This update corrects
that problem.
2. The cdrdao package contains two vulnerabilities; the first allows local
users to read arbitrary files via the show-data command and the second
allows local users to overwrite arbitrary files via a symlink attack on
the ~/.cdrdao configuration file. This can also lead to elevated
privileges (a root shell) due to cdrdao being installed suid root.
3. A buffer overflow in nasm was discovered by Josh Bressers. If an
attacker could trick a user into assembling a malicious source file,
they could use this vulnerability to execute arbitrary code with the
privileges of the user running nasm.
4. A race condition in the file permission restore code of bunzip2 was
discovered by Imran Ghory. Also, a vulnerability was found where
specially crafted bzip2 archives would cause an infinite loop in the
decompressor, resulting in an indefinitively large output file.
5. Zgrep in gzip before 1.3.5 does not properly sanitize arguments.
There is A race condition in gzip 1.2.4, 1.3.3, and earlier.
A directory traversal vulnerability via "gunzip -N" in gzip 1.2.4
through 1.3.5
Update advisory content follows:
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Update Advisory
_______________________________________________________________________
Package name: rpmdrake
Advisory ID: MDKA-2005:027
Date: May 18th, 2005
Affected versions: 10.2
______________________________________________________________________
Problem Description:
A bug in rpmdrake prevented it from showing the reason for an update
when it was invoked by the mdkonline applet. This update corrects
that problem.
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.2:
9a5c7cd9ffdbda2ebcd45621a849d0d6 10.2/RPMS/park-rpmdrake-2.10-4.2.102mdk.i586.rpm
5613da1c96098c80c469a34e2b52a300 10.2/RPMS/rpmdrake-2.10-4.2.102mdk.i586.rpm
244187fddfe15ad972f5b09ef94feb0e 10.2/SRPMS/rpmdrake-2.10-4.2.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
76f5d31480b2bee21a4c053ba8aa4385 x86_64/10.2/RPMS/park-rpmdrake-2.10-4.2.102mdk.x86_64.rpm
d0e3e5d76377c057337f83bc55470f1c x86_64/10.2/RPMS/rpmdrake-2.10-4.2.102mdk.x86_64.rpm
244187fddfe15ad972f5b09ef94feb0e x86_64/10.2/SRPMS/rpmdrake-2.10-4.2.102mdk.src.rpm
_______________________________________________________________________
Bug IDs fixed (see http://qa.mandriva.com for more information):
15936 - No reason for update shown
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCjCPImqjQ0CJFipgRAjGaAKCigYJcf1sKybHkWgkRhbWkbD5xAACfQEdh
1idc7B4w1adIBRu1+/bMvMg=
=UEjT
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: cdrdao
Advisory ID: MDKSA-2005:089
Date: May 18th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0
______________________________________________________________________
Problem Description:
The cdrdao package contains two vulnerabilities; the first allows local
users to read arbitrary files via the show-data command and the second
allows local users to overwrite arbitrary files via a symlink attack on
the ~/.cdrdao configuration file. This can also lead to elevated
privileges (a root shell) due to cdrdao being installed suid root.
The provided packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0138
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
1b7ae1dad185d083ed25987ccce21ad0 10.0/RPMS/cdrdao-1.1.8-2.2.100mdk.i586.rpm
87a92365c35931b3023188da4089c482 10.0/RPMS/cdrdao-gcdmaster-1.1.8-2.2.100mdk.i586.rpm
0fd4754121b926a84fae47bf1e4c6133 10.0/SRPMS/cdrdao-1.1.8-2.2.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
cea5f48ae2bcc67e161da98e41b55134 amd64/10.0/RPMS/cdrdao-1.1.8-2.2.100mdk.amd64.rpm
c8b85327b50ebb68e3fab34476b1b3cb amd64/10.0/RPMS/cdrdao-gcdmaster-1.1.8-2.2.100mdk.amd64.rpm
0fd4754121b926a84fae47bf1e4c6133 amd64/10.0/SRPMS/cdrdao-1.1.8-2.2.100mdk.src.rpm
Mandrakelinux 10.1:
61ab4f7af380c2b46acac4dcfa1f893a 10.1/RPMS/cdrdao-1.1.9-6.1.101mdk.i586.rpm
9c8463a1c170c1b189e0dd9a68be07d9 10.1/RPMS/cdrdao-gcdmaster-1.1.9-6.1.101mdk.i586.rpm
050a81b90551f9ef454904e55a160a9d 10.1/SRPMS/cdrdao-1.1.9-6.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
a2424f9595ddcb10aca667a35523ae20 x86_64/10.1/RPMS/cdrdao-1.1.9-6.1.101mdk.x86_64.rpm
ce08ea93c55311d7585dcf72d62add3a x86_64/10.1/RPMS/cdrdao-gcdmaster-1.1.9-6.1.101mdk.x86_64.rpm
050a81b90551f9ef454904e55a160a9d x86_64/10.1/SRPMS/cdrdao-1.1.9-6.1.101mdk.src.rpm
Mandrakelinux 10.2:
b073077b108528d1ceed5681acf46f8c 10.2/RPMS/cdrdao-1.1.9-7.1.102mdk.i586.rpm
0077a3948564abc01ab2dc935268b443 10.2/RPMS/cdrdao-gcdmaster-1.1.9-7.1.102mdk.i586.rpm
cb1265c4a12964fa5fbf42a7fb2361df 10.2/SRPMS/cdrdao-1.1.9-7.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
0f3eeec0e097087dd4b15dc89ccea21f x86_64/10.2/RPMS/cdrdao-1.1.9-7.1.102mdk.x86_64.rpm
c573c4ff16b3b0c9bf68467d5cfc347b x86_64/10.2/RPMS/cdrdao-gcdmaster-1.1.9-7.1.102mdk.x86_64.rpm
cb1265c4a12964fa5fbf42a7fb2361df x86_64/10.2/SRPMS/cdrdao-1.1.9-7.1.102mdk.src.rpm
Corporate 3.0:
406191468856946e82d195204855a05f corporate/3.0/RPMS/cdrdao-1.1.8-2.2.C30mdk.i586.rpm
768b911c0d220197ad43f351b91e1c9c corporate/3.0/RPMS/cdrdao-gcdmaster-1.1.8-2.2.C30mdk.i586.rpm
70d8a7e69f725875da71507ebc7c2447 corporate/3.0/SRPMS/cdrdao-1.1.8-2.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
e97c0cd16db006ebc56e7b339c4eccc9 x86_64/corporate/3.0/RPMS/cdrdao-1.1.8-2.2.C30mdk.x86_64.rpm
e1f6f75a51182be5155dc204abbbf188 x86_64/corporate/3.0/RPMS/cdrdao-gcdmaster-1.1.8-2.2.C30mdk.x86_64.rpm
70d8a7e69f725875da71507ebc7c2447 x86_64/corporate/3.0/SRPMS/cdrdao-1.1.8-2.2.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCjBUQmqjQ0CJFipgRAjzeAJ9cTiaucpnqaW4JIyQgqiDAGRNfZQCg29j5
pTU5kh/+QTwHzbHNURqbPpE=
=X3bG
- -----END PGP SIGNATURE-----
3.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: nasm
Advisory ID: MDKSA-2005:090
Date: May 18th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
A buffer overflow in nasm was discovered by Josh Bressers. If an
attacker could trick a user into assembling a malicious source file,
they could use this vulnerability to execute arbitrary code with the
privileges of the user running nasm.
The provided packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1194
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
6058fd99b081bb34f72eaca22979eacb 10.0/RPMS/nasm-0.98.38-1.2.100mdk.i586.rpm
9e1cad7299252e849dde88c1c8f9fcd5 10.0/RPMS/nasm-doc-0.98.38-1.2.100mdk.i586.rpm
7b37557a44164b32b5c5d708af18420a 10.0/RPMS/nasm-rdoff-0.98.38-1.2.100mdk.i586.rpm
047468f3437190d6134a91aa319c9dce 10.0/SRPMS/nasm-0.98.38-1.2.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
c0f6efb802cdf9016db4b0b460aced96 amd64/10.0/RPMS/nasm-0.98.38-1.2.100mdk.amd64.rpm
1c2d6870472752e7f71e1359f93971d6 amd64/10.0/RPMS/nasm-doc-0.98.38-1.2.100mdk.amd64.rpm
5850c8cbc5e793537edef9297f75ca3b amd64/10.0/RPMS/nasm-rdoff-0.98.38-1.2.100mdk.amd64.rpm
047468f3437190d6134a91aa319c9dce amd64/10.0/SRPMS/nasm-0.98.38-1.2.100mdk.src.rpm
Mandrakelinux 10.1:
c86682079a58d5f51afb8c46c3575f88 10.1/RPMS/nasm-0.98.38-1.2.101mdk.i586.rpm
5a8d878475c169dd3e5688d1df154204 10.1/RPMS/nasm-doc-0.98.38-1.2.101mdk.i586.rpm
2ac418c945c704be110ad96f7aac207a 10.1/RPMS/nasm-rdoff-0.98.38-1.2.101mdk.i586.rpm
23154a4d32e90290972ffcdf4b45e866 10.1/SRPMS/nasm-0.98.38-1.2.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
3db75236d3004b80e44da6b9090520ef x86_64/10.1/RPMS/nasm-0.98.38-1.2.101mdk.x86_64.rpm
b885ec5762f765353386cdb9944f6fc5 x86_64/10.1/RPMS/nasm-doc-0.98.38-1.2.101mdk.x86_64.rpm
431065cf6d8c3ee4986b67478fbcd307 x86_64/10.1/RPMS/nasm-rdoff-0.98.38-1.2.101mdk.x86_64.rpm
23154a4d32e90290972ffcdf4b45e866 x86_64/10.1/SRPMS/nasm-0.98.38-1.2.101mdk.src.rpm
Mandrakelinux 10.2:
3e12f2c986a50d29be3966c1676b22f4 10.2/RPMS/nasm-0.98.39-1.1.102mdk.i586.rpm
fe9c6840f54221f6c87f75671eff25f4 10.2/RPMS/nasm-doc-0.98.39-1.1.102mdk.i586.rpm
ce78396659e932bcfba9af13d5578031 10.2/RPMS/nasm-rdoff-0.98.39-1.1.102mdk.i586.rpm
8cbae58b2b3c81dfc7871e3b677ab3ee 10.2/SRPMS/nasm-0.98.39-1.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
dbf950bdee101ba5f24304bf1ef34d9b x86_64/10.2/RPMS/nasm-0.98.39-1.1.102mdk.x86_64.rpm
9c1b968a37952f4d71ab70566b27f64d x86_64/10.2/RPMS/nasm-doc-0.98.39-1.1.102mdk.x86_64.rpm
f478ee8d4a130f548d70a26b43d2bd0d x86_64/10.2/RPMS/nasm-rdoff-0.98.39-1.1.102mdk.x86_64.rpm
8cbae58b2b3c81dfc7871e3b677ab3ee x86_64/10.2/SRPMS/nasm-0.98.39-1.1.102mdk.src.rpm
Corporate Server 2.1:
a5915798665b6cb487ed46b26d413843 corporate/2.1/RPMS/nasm-0.98.34-1.1.C21mdk.i586.rpm
8920f14ae40608d4e009d0de1de38fc4 corporate/2.1/RPMS/nasm-doc-0.98.34-1.1.C21mdk.i586.rpm
64b92b3d16471838fe539a2231cc9b40 corporate/2.1/RPMS/nasm-rdoff-0.98.34-1.1.C21mdk.i586.rpm
a500a5886b349219698a63c19e4a25cc corporate/2.1/SRPMS/nasm-0.98.34-1.1.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
0701d377fbb6d201844d2b4c7c5c1ff4 x86_64/corporate/2.1/RPMS/nasm-0.98.34-1.1.C21mdk.x86_64.rpm
7ca4b424a692a30a0a7563ef7b519fb6 x86_64/corporate/2.1/RPMS/nasm-doc-0.98.34-1.1.C21mdk.x86_64.rpm
e487b2c74bae0220d9274dc0df607113 x86_64/corporate/2.1/RPMS/nasm-rdoff-0.98.34-1.1.C21mdk.x86_64.rpm
a500a5886b349219698a63c19e4a25cc x86_64/corporate/2.1/SRPMS/nasm-0.98.34-1.1.C21mdk.src.rpm
Corporate 3.0:
6e92be4ee34c886f0bae3eb57742be21 corporate/3.0/RPMS/nasm-0.98.38-1.2.C30mdk.i586.rpm
52dd3cd6c00348a03e0556203d23d315 corporate/3.0/RPMS/nasm-doc-0.98.38-1.2.C30mdk.i586.rpm
982eccac3a54313ba123eaef3f86ea90 corporate/3.0/RPMS/nasm-rdoff-0.98.38-1.2.C30mdk.i586.rpm
fa2f1dd8e465108d2a0c18fef812e2d0 corporate/3.0/SRPMS/nasm-0.98.38-1.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
3ab1744c68d83be84b7adf44aa1868b3 x86_64/corporate/3.0/RPMS/nasm-0.98.38-1.2.C30mdk.x86_64.rpm
7e516d61646ab1fcb9493b8bfd5b0943 x86_64/corporate/3.0/RPMS/nasm-doc-0.98.38-1.2.C30mdk.x86_64.rpm
809e67872145f7b42156e78bd22cbabf x86_64/corporate/3.0/RPMS/nasm-rdoff-0.98.38-1.2.C30mdk.x86_64.rpm
fa2f1dd8e465108d2a0c18fef812e2d0 x86_64/corporate/3.0/SRPMS/nasm-0.98.38-1.2.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCjBZUmqjQ0CJFipgRAnKGAJ9Zgq2nMaSrXOcW+tLkicTUjq3i3gCfdRlj
FUPHAwBUqagGe6hLRHKrEIE=
=S2On
- -----END PGP SIGNATURE-----
4.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: bzip2
Advisory ID: MDKSA-2005:091
Date: May 18th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
A race condition in the file permission restore code of bunzip2 was
discovered by Imran Ghory. While a user was decompressing a file, a
local attacker with write permissions to the directory containing the
compressed file could replace the target file with a hard link which
would cause bunzip2 to restore the file permissions of the original
file to the hard link target. This could be exploited to gain read or
write access to files of other users (CAN-2005-0953).
A vulnerability was found where specially crafted bzip2 archives would
cause an infinite loop in the decompressor, resulting in an
indefinitively large output file (also known as a "decompression
bomb"). This could be exploited to cause a Denial of Service attack
on the host computer due to disk space exhaustion (CAN-2005-1260).
The provided packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
4b2bb8d970b222f3d941181c97ac90b4 10.0/RPMS/bzip2-1.0.2-17.1.100mdk.i586.rpm
668e3c51aba91c2593a8acff74d44454 10.0/RPMS/libbzip2_1-1.0.2-17.1.100mdk.i586.rpm
94f02cd14f2600f9bb2feafa3bb9d86e 10.0/RPMS/libbzip2_1-devel-1.0.2-17.1.100mdk.i586.rpm
c22b1d64b5479d4924612a96d20f7944 10.0/SRPMS/bzip2-1.0.2-17.1.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
cb22383be6cb4a2f32170a1c6b5aa0cf amd64/10.0/RPMS/bzip2-1.0.2-17.1.100mdk.amd64.rpm
923353937d7dd11490f769a23012d229 amd64/10.0/RPMS/lib64bzip2_1-1.0.2-17.1.100mdk.amd64.rpm
796494bd8a1731f1b970421a6c1657ee amd64/10.0/RPMS/lib64bzip2_1-devel-1.0.2-17.1.100mdk.amd64.rpm
c22b1d64b5479d4924612a96d20f7944 amd64/10.0/SRPMS/bzip2-1.0.2-17.1.100mdk.src.rpm
Mandrakelinux 10.1:
c712f5670311f97e101fe2d0a8ed8c2b 10.1/RPMS/bzip2-1.0.2-20.1.101mdk.i586.rpm
3b7a755b9faf46953f8030eab2b9a5f0 10.1/RPMS/libbzip2_1-1.0.2-20.1.101mdk.i586.rpm
70428efe689e2e0e6e88ee0f1c930475 10.1/RPMS/libbzip2_1-devel-1.0.2-20.1.101mdk.i586.rpm
19be2dba061d76a9b79f7376077e238f 10.1/SRPMS/bzip2-1.0.2-20.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
02b04af8089d801bf139dfdc5fbe61e3 x86_64/10.1/RPMS/bzip2-1.0.2-20.1.101mdk.x86_64.rpm
8c835acc2c2dc823b94e332340502245 x86_64/10.1/RPMS/lib64bzip2_1-1.0.2-20.1.101mdk.x86_64.rpm
92a783e1d9dea6c00324b6ed12d74635 x86_64/10.1/RPMS/lib64bzip2_1-devel-1.0.2-20.1.101mdk.x86_64.rpm
19be2dba061d76a9b79f7376077e238f x86_64/10.1/SRPMS/bzip2-1.0.2-20.1.101mdk.src.rpm
Mandrakelinux 10.2:
64e8f1fb474606a4bfbeb2adee7cabf6 10.2/RPMS/bzip2-1.0.2-20.1.102mdk.i586.rpm
53fe82aefa0ff6aeff8ce0b5a7649b5c 10.2/RPMS/libbzip2_1-1.0.2-20.1.102mdk.i586.rpm
9d420447e67a42f77e22c28d55bf611a 10.2/RPMS/libbzip2_1-devel-1.0.2-20.1.102mdk.i586.rpm
bc16ae3ec7865dc9e8d382f22d296cb2 10.2/SRPMS/bzip2-1.0.2-20.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
d87a3bc804e9c716a17b44d2144255a7 x86_64/10.2/RPMS/bzip2-1.0.2-20.1.102mdk.x86_64.rpm
6f0841e3c59c302819abd300e37a4b4f x86_64/10.2/RPMS/lib64bzip2_1-1.0.2-20.1.102mdk.x86_64.rpm
31a163ba5a620dc925279e0cd2b988b4 x86_64/10.2/RPMS/lib64bzip2_1-devel-1.0.2-20.1.102mdk.x86_64.rpm
bc16ae3ec7865dc9e8d382f22d296cb2 x86_64/10.2/SRPMS/bzip2-1.0.2-20.1.102mdk.src.rpm
Corporate Server 2.1:
297004f1d8a720780325382271f94164 corporate/2.1/RPMS/bzip2-1.0.2-10.1.C21mdk.i586.rpm
2e9376a5ebaeef7ab611c31377962636 corporate/2.1/RPMS/libbzip2_1-1.0.2-10.1.C21mdk.i586.rpm
54747fe92a6779b85ac84286c398bb14 corporate/2.1/RPMS/libbzip2_1-devel-1.0.2-10.1.C21mdk.i586.rpm
2220cf9a3e6842172f98c01909e3f77e corporate/2.1/SRPMS/bzip2-1.0.2-10.1.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
cfaf6fd095f0d7434e80d8a4f0156255 x86_64/corporate/2.1/RPMS/bzip2-1.0.2-10.1.C21mdk.x86_64.rpm
efddfee91fe70c73d3162cd4f2ab2581 x86_64/corporate/2.1/RPMS/libbzip2_1-1.0.2-10.1.C21mdk.x86_64.rpm
a41917f3e9a008c625b90481c9357aff x86_64/corporate/2.1/RPMS/libbzip2_1-devel-1.0.2-10.1.C21mdk.x86_64.rpm
2220cf9a3e6842172f98c01909e3f77e x86_64/corporate/2.1/SRPMS/bzip2-1.0.2-10.1.C21mdk.src.rpm
Corporate 3.0:
b01aca9e32f1b7beadf1dede32fe8726 corporate/3.0/RPMS/bzip2-1.0.2-17.1.C30mdk.i586.rpm
01fb59c1b265d341bd1182ef833186e3 corporate/3.0/RPMS/libbzip2_1-1.0.2-17.1.C30mdk.i586.rpm
7555509f257ddbef15e4f09e4bc3fda5 corporate/3.0/RPMS/libbzip2_1-devel-1.0.2-17.1.C30mdk.i586.rpm
361836a8f0bcdbd18cc376df549f1d2b corporate/3.0/SRPMS/bzip2-1.0.2-17.1.C30mdk.src.rpm
Corporate 3.0/X86_64:
b06a4e4af363c43e1e24e45e156f6282 x86_64/corporate/3.0/RPMS/bzip2-1.0.2-17.1.C30mdk.x86_64.rpm
7c075c3748cba9471e9d13ce4ae8b4c2 x86_64/corporate/3.0/RPMS/lib64bzip2_1-1.0.2-17.1.C30mdk.x86_64.rpm
d15c9f810a0b1ec7e153154304b8dc53 x86_64/corporate/3.0/RPMS/lib64bzip2_1-devel-1.0.2-17.1.C30mdk.x86_64.rpm
361836a8f0bcdbd18cc376df549f1d2b x86_64/corporate/3.0/SRPMS/bzip2-1.0.2-17.1.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCjBeCmqjQ0CJFipgRAj/zAJ0ZbXjjihsKQHDasMvEL3zAH+aTkgCgqWSV
dHSH6DEdKzeVpHX1gbPFLPU=
=kJjT
- -----END PGP SIGNATURE-----
5.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: gzip
Advisory ID: MDKSA-2005:092
Date: May 18th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
Several vulnerabilities have been discovered in the gzip package:
Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which
allows local users to execute arbitrary commands via filenames that are
injected into a sed script. (CAN-2005-0758)
A race condition in gzip 1.2.4, 1.3.3, and earlier when decompressing a
gzip file allows local users to modify permissions of arbitrary files
via a hard link attack on a file while it is being decompressed, whose
permissions are changed by gzip after the decompression is complete.
(CAN-2005-0988)
A directory traversal vulnerability via "gunzip -N" in gzip 1.2.4
through 1.3.5 allows remote attackers to write to arbitrary directories
via a .. (dot dot) in the original filename within a compressed file.
(CAN-2005-1228)
Updated packages are patched to address these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
747eb53b876e9dd0544d58d8cafd436d 10.0/RPMS/gzip-1.2.4a-13.2.100mdk.i586.rpm
6b8b1c839de2659bdbf3ef7b2d084c49 10.0/SRPMS/gzip-1.2.4a-13.2.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
55b145f3a6211d3214e4ac84a9f3d2db amd64/10.0/RPMS/gzip-1.2.4a-13.2.100mdk.amd64.rpm
6b8b1c839de2659bdbf3ef7b2d084c49 amd64/10.0/SRPMS/gzip-1.2.4a-13.2.100mdk.src.rpm
Mandrakelinux 10.1:
f52a97a5a011807be418d9813e8be8a7 10.1/RPMS/gzip-1.2.4a-13.2.101mdk.i586.rpm
50b48751f7f56fafc86ae58c39473b19 10.1/SRPMS/gzip-1.2.4a-13.2.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
6f68527ab34b108cd142f7612f01624b x86_64/10.1/RPMS/gzip-1.2.4a-13.2.101mdk.x86_64.rpm
50b48751f7f56fafc86ae58c39473b19 x86_64/10.1/SRPMS/gzip-1.2.4a-13.2.101mdk.src.rpm
Mandrakelinux 10.2:
2e4b095f517150b0c3fd8f06e8b02b54 10.2/RPMS/gzip-1.2.4a-14.1.102mdk.i586.rpm
d9a2c5788a582dc194e4726b68708e75 10.2/SRPMS/gzip-1.2.4a-14.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
819a41d23efc8ad2c26cd9786178a52c x86_64/10.2/RPMS/gzip-1.2.4a-14.1.102mdk.x86_64.rpm
d9a2c5788a582dc194e4726b68708e75 x86_64/10.2/SRPMS/gzip-1.2.4a-14.1.102mdk.src.rpm
Corporate Server 2.1:
531d8990f2c080218daaafd80fa324d4 corporate/2.1/RPMS/gzip-1.2.4a-11.4.C21mdk.i586.rpm
255e4af1676fa7db7ebb6f9997bee3ef corporate/2.1/SRPMS/gzip-1.2.4a-11.4.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
7094630fcd81e61eb6402d25b4afa2dd x86_64/corporate/2.1/RPMS/gzip-1.2.4a-11.4.C21mdk.x86_64.rpm
255e4af1676fa7db7ebb6f9997bee3ef x86_64/corporate/2.1/SRPMS/gzip-1.2.4a-11.4.C21mdk.src.rpm
Corporate 3.0:
4d73819ec9c73150407ab0a6739e797b corporate/3.0/RPMS/gzip-1.2.4a-13.2.C30mdk.i586.rpm
2d3852158ecc68f805ce3e63d3e0c563 corporate/3.0/SRPMS/gzip-1.2.4a-13.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
502e80bad0a21a86c06f85836c9e9579 x86_64/corporate/3.0/RPMS/gzip-1.2.4a-13.2.C30mdk.x86_64.rpm
2d3852158ecc68f805ce3e63d3e0c563 x86_64/corporate/3.0/SRPMS/gzip-1.2.4a-13.2.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCjCRKmqjQ0CJFipgRAjVDAJ497dbaWVLijg3G9GG37nzhgoqx7wCfU/3A
ZJJPpopYzcqlAbhAsfoYC6A=
=Qzu4
- -----END PGP SIGNATURE-----