Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000913-4
dburcaw@terraplex.com
Date: Mon Sep 25 2000 - 18:56:54 MDT
Yellow Dog Linux Security Announcement
--------------------------------------
Package: mgetty
Issue Date: September 13, 2000
Update Date: September 13, 2000
Priority: high
Advisory ID: YDU-20000913-4
1. Topic:
The mgetty-sendfax package contains a security vulnerability.
2. Problem:
"The faxrunq and faxrunqd commands supplied with the mgetty-sendfax package
use a file named /var/spool/fax/outgoing/.lastrun to keep track of the date
and time when the faxrunq command was last run. /var/tmp is a
world-writable directory, and no check is made to ensure that .lastrun is
not a symbolic link to another file. A malicious user can create a
symbolic link named /var/spool/fax/outgoing/.lastrun which points to any
file on a mounted filesystem, and that file's contents will be destroyed
the next time faxrunq is run." (from Red Hat's errata advisory)
3. Solution:
a) Updating via yup...
We suggest that you use the Yellow Dog Update Program (yup)
to keep your system up-to-date. The following command will
automatically retrieve and install the fixed version of
mgetty onto your system:
yup update mgetty
yup update mgetty-sendfax
yup update mgetty-viewfax
yup update mgetty-voice
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update.
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
mgetty-1.1.22-1.6.x.ppc.rpm
mgetty-sendfax-1.1.22-1.6.x.ppc.rpm
mgetty-viewfax-1.1.22-1.6.x.ppc.rpm
mgetty-voice-1.1.22-1.6.x.ppc.rpm
rpm -Fvh mgetty-*-1.1.22-1.6.x.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
83e4028473750ca75a46f3fb190f6315 SRPMS/mgetty-1.1.22-1.6.x.src.rpm
65e0d72a4881a9899339ecc9c0be0f66 RPMS/mgetty-1.1.22-1.6.x.ppc.rpm
716955dd40e6f54fd7867269554129c5 RPMS/mgetty-sendfax-1.1.22-1.6.x.ppc.rpm
b276dbf741fb5e00c12ec33de295573a RPMS/mgetty-viewfax-1.1.22-1.6.x.ppc.rpm
00b41bfbc5db9722a3305cfa78a2dce1 RPMS/mgetty-voice-1.1.22-1.6.x.ppc.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of yup, the Yellow Dog Update Program, see
http://devel.yellowdoglinux.com/rp_yup.shtml
This archive was generated by hypermail 2a24 : Mon Sep 25 2000 - 18:59:28 MDT