Yellow Dog Linux Security Advisory: YDU-20020522-4

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
Wed, 22 May 2002 16:09:39 -0600 (MDT) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	sharutils	
Issue Date: 	May 22, 2002	
Priority:	medium		
Advisory ID: 	YDU-20020522-4


1. 	Topic:

	Updated sharutils packages are available.


2. 	Problem:

	"The sharutils package contains a set of tools for encoding
	and decoding packages of files in binary or text format.

	The uudecode utility would create an output file without checking
	to see if it was about to write to a symlink or a pipe. If a user
	uses uudecode to extract data into open shared directories, such
	as /tmp, this vulnerability could be used by a local attacker to
	overwrite files or lead to privilege escalation.

	The Common Vulnerabilities and Exposures project (cve.mitre.org) has
	assigned the name CAN-2002-0178 to this issue.

	Users should update to these errata sharutils packages which contain a
	version of uudecode that has been patched to check for an existing pipe or
	symlink output file."
	(from Red Hat advisory)


3. 	Solution:

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

		yup update sharutils 

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/
		rpm -Fvh sharutils-4.3.1-8.7.x.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
c1cda3c3a8fb73830c045434816854af  ppc/sharutils-4.2.1-8.7.x.ppc.rpm
d0c554ff2711a6ad6e6c2f91bcc68be2  SRPMS/sharutils-4.2.1-8.7.x.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml