Yellow Dog Linux Security Advisory: YDU-20020522-4
Dan Burcaw
yellowdog-updates@lists.terrasoftsolutions.com
Wed, 22 May 2002 16:09:39 -0600 (MDT)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: sharutils
Issue Date: May 22, 2002
Priority: medium
Advisory ID: YDU-20020522-4
1. Topic:
Updated sharutils packages are available.
2. Problem:
"The sharutils package contains a set of tools for encoding
and decoding packages of files in binary or text format.
The uudecode utility would create an output file without checking
to see if it was about to write to a symlink or a pipe. If a user
uses uudecode to extract data into open shared directories, such
as /tmp, this vulnerability could be used by a local attacker to
overwrite files or lead to privilege escalation.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0178 to this issue.
Users should update to these errata sharutils packages which contain a
version of uudecode that has been patched to check for an existing pipe or
symlink output file."
(from Red Hat advisory)
3. Solution:
a) Updating via yup...
We suggest that you use the Yellow Dog Update Program (yup)
to keep your system up-to-date. The following command(s) will
automatically retrieve and install the fixed version of
this update onto your system:
yup update sharutils
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update. (Please use a mirror site)
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/
rpm -Fvh sharutils-4.3.1-8.7.x.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
c1cda3c3a8fb73830c045434816854af ppc/sharutils-4.2.1-8.7.x.ppc.rpm
d0c554ff2711a6ad6e6c2f91bcc68be2 SRPMS/sharutils-4.2.1-8.7.x.src.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of yup, the Yellow Dog Update Program, see
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml