Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Security Update: [CSSA-2002-032.0] Linux: temporary file races in libmm

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


security at caldera

Jul 30, 2002, 6:20 PM

Post #1 of 5 (222 views)
Permalink
Security Update: [CSSA-2002-032.0] Linux: temporary file races in libmm
To: bugtraq [at] securityfocus announce [at] lists security-alerts [at] linuxsecurity full-disclosure [at] lists

______________________________________________________________________________

Caldera International, Inc. Security Advisory

Subject: Linux: temporary file races in libmm
Advisory number: CSSA-2002-032.0
Issue date: 2002 July 30
Cross reference:
______________________________________________________________________________


1. Problem Description

The OSSP mm library (libmm) allows a local Apache user to gain
privileges via temporary files, possibly via a symbolic link.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------

OpenLinux 3.1.1 Server prior to apache-1.3.22-6.2.i386.rpm
prior to apache-devel-1.3.22-6.2.i386.rpm
prior to apache-doc-1.3.22-6.2.i386.rpm
prior to mm-1.1.3-6.i386.rpm
prior to mm-devel-1.1.3-6.i386.rpm
prior to mm-devel-static-1.1.3-6.i386.rpm

OpenLinux 3.1.1 Workstation prior to apache-1.3.22-6.2.i386.rpm
prior to apache-devel-1.3.22-6.2.i386.rpm
prior to apache-doc-1.3.22-6.2.i386.rpm
prior to mm-1.1.3-6.i386.rpm
prior to mm-devel-1.1.3-6.i386.rpm
prior to mm-devel-static-1.1.3-6.i386.rpm

OpenLinux 3.1 Server prior to apache-1.3.22-6.2.i386.rpm
prior to apache-devel-1.3.22-6.2.i386.rpm
prior to apache-doc-1.3.22-6.2.i386.rpm
prior to mm-1.1.3-6.i386.rpm
prior to mm-devel-1.1.3-6.i386.rpm
prior to mm-devel-static-1.1.3-6.i386.rpm

OpenLinux 3.1 Workstation prior to apache-1.3.22-6.2.i386.rpm
prior to apache-devel-1.3.22-6.2.i386.rpm
prior to apache-doc-1.3.22-6.2.i386.rpm
prior to mm-1.1.3-6.i386.rpm
prior to mm-devel-1.1.3-6.i386.rpm
prior to mm-devel-static-1.1.3-6.i386.rpm


3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-032.0/RPMS

4.2 Packages

288b4b7f04fd6f86c57a37600445fad2 apache-1.3.22-6.2.i386.rpm
0fb7cb950273fa4033c9b3e7ae0c866c apache-devel-1.3.22-6.2.i386.rpm
58b2239773abb64736cdae47e974f5bd apache-doc-1.3.22-6.2.i386.rpm
e90244e70b6637fd4a6e0b996790027e mm-1.1.3-6.i386.rpm
12beafe3a80add0b0d259f3862618888 mm-devel-1.1.3-6.i386.rpm
bbe13db9994ae59d6a9e02e82d767bb9 mm-devel-static-1.1.3-6.i386.rpm

4.3 Installation

rpm -Fvh apache-1.3.22-6.2.i386.rpm
rpm -Fvh apache-devel-1.3.22-6.2.i386.rpm
rpm -Fvh apache-doc-1.3.22-6.2.i386.rpm
rpm -Fvh mm-1.1.3-6.i386.rpm
rpm -Fvh mm-devel-1.1.3-6.i386.rpm
rpm -Fvh mm-devel-static-1.1.3-6.i386.rpm

4.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-032.0/SRPMS

4.5 Source Packages

3f1508fed9c5a7120e948d2f23fa5a07 apache-1.3.22-6.2.src.rpm
9437d47263c28b7efc3fa32fd0b7e2bf mm-1.1.3-6.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-032.0/RPMS

5.2 Packages

5d88563f7a3f648cd0ba177866b4c7f4 apache-1.3.22-6.2.i386.rpm
a91ea79523076fa7f71f008242455c74 apache-devel-1.3.22-6.2.i386.rpm
5ef1e68029253f18df3a86243f43b38e apache-doc-1.3.22-6.2.i386.rpm
a9380214993caaf1664390d6107a9d99 mm-1.1.3-6.i386.rpm
9dce92bf81c56f29222e7f686f156463 mm-devel-1.1.3-6.i386.rpm
4f36db29f5eb08fec4a9ee5074e6731a mm-devel-static-1.1.3-6.i386.rpm

5.3 Installation

rpm -Fvh apache-1.3.22-6.2.i386.rpm
rpm -Fvh apache-devel-1.3.22-6.2.i386.rpm
rpm -Fvh apache-doc-1.3.22-6.2.i386.rpm
rpm -Fvh mm-1.1.3-6.i386.rpm
rpm -Fvh mm-devel-1.1.3-6.i386.rpm
rpm -Fvh mm-devel-static-1.1.3-6.i386.rpm

5.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-032.0/SRPMS

5.5 Source Packages

b9ccef42f9e9878381532b4959f52f2a apache-1.3.22-6.2.src.rpm
bd8d1a94fa5ca11a87a64580d9e82bcc mm-1.1.3-6.src.rpm


6. OpenLinux 3.1 Server

6.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-032.0/RPMS

6.2 Packages

a93ed3ebd0aa817d400160468c3fe3a1 apache-1.3.22-6.2.i386.rpm
58d3e98367b84159223bac4b69b1bdd6 apache-devel-1.3.22-6.2.i386.rpm
ec2c93fa309fe29a90f593da3db71af8 apache-doc-1.3.22-6.2.i386.rpm
3391fb0b8505b0ec0c3c8f3370508fc9 mm-1.1.3-6.i386.rpm
c72a0338d81452ab4932b6c1de82f0cc mm-devel-1.1.3-6.i386.rpm
4471799937497c53c5d4ccde411a64fe mm-devel-static-1.1.3-6.i386.rpm

6.3 Installation

rpm -Fvh apache-1.3.22-6.2.i386.rpm
rpm -Fvh apache-devel-1.3.22-6.2.i386.rpm
rpm -Fvh apache-doc-1.3.22-6.2.i386.rpm
rpm -Fvh mm-1.1.3-6.i386.rpm
rpm -Fvh mm-devel-1.1.3-6.i386.rpm
rpm -Fvh mm-devel-static-1.1.3-6.i386.rpm

6.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-032.0/SRPMS

6.5 Source Packages

4895bc8f8bf5567a467332a7ff129492 apache-1.3.22-6.2.src.rpm
4a0cd7bdf6a7d6ebe769a96e0e25a83c mm-1.1.3-6.src.rpm


7. OpenLinux 3.1 Workstation

7.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-032.0/RPMS

7.2 Packages

ab902357aade4b77427442c6cef70510 apache-1.3.22-6.2.i386.rpm
8bf8a482b851db023e8a8942e25321e7 apache-devel-1.3.22-6.2.i386.rpm
114f59b93d19be1cdb95087f8a17d9ce apache-doc-1.3.22-6.2.i386.rpm
c060a276958dd1b376b93512d0522fdf mm-1.1.3-6.i386.rpm
7e878f082b49816f76c1e7949128c85b mm-devel-1.1.3-6.i386.rpm
665f6d290d6df6594077df97df4d892f mm-devel-static-1.1.3-6.i386.rpm

7.3 Installation

rpm -Fvh apache-1.3.22-6.2.i386.rpm
rpm -Fvh apache-devel-1.3.22-6.2.i386.rpm
rpm -Fvh apache-doc-1.3.22-6.2.i386.rpm
rpm -Fvh mm-1.1.3-6.i386.rpm
rpm -Fvh mm-devel-1.1.3-6.i386.rpm
rpm -Fvh mm-devel-static-1.1.3-6.i386.rpm

7.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-032.0/SRPMS

7.5 Source Packages

b0ae3b8ddbd4d09f7fb312cf14a1db8c apache-1.3.22-6.2.src.rpm
94367d892d24215d3e1b6581c1b4e8d3 mm-1.1.3-6.src.rpm


8. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0658
http://www.ossp.org/pkg/lib/mm/

Caldera security resources:
http://www.caldera.com/support/security/index.html

This security fix closes Caldera incidents sr867252, fz525663,
erg501638.


9. Disclaimer

Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.


10. Acknowledgements

Sebastian Krahmer and Marcus Meissner discovered and
researched this vulnerability.

______________________________________________________________________________


fd at rshell

Jul 31, 2002, 4:59 AM

Post #2 of 5 (216 views)
Permalink
Re: Security Update: [CSSA-2002-032.0] Linux: temporary file races in libmm [In reply to]
On Tue, Jul 30, 2002 at 06:20:54PM -0700, security [at] caldera wrote:
> To: bugtraq [at] securityfocus announce [at] lists security-alerts [at] linuxsecurity full-disclosure [at] lists

Isn't this list moderated?

Why do all vendors suddenly want to spam us with tons of *useless*
advisories, that we get anyhow?

didn't the post on bugtraq say that the new mailing list has been build
because securityfocus has gone commercial?


johnc at grok

Jul 31, 2002, 5:24 AM

Post #3 of 5 (217 views)
Permalink
Re: Security Update: [CSSA-2002-032.0] Linux: temporary file races in libmm [In reply to]
On Wed, Jul 31, 2002 at 02:59:57PM +0300, Guy Cohen wrote:
> Isn't this list moderated?

No, but it is a closed list. We allow posts from non-members based on
their merit and relevance.

> Why do all vendors suddenly want to spam us with tons of *useless*
> advisories, that we get anyhow?

We believe that the vendor notifications are useful information. To
provide a viable alternative to other more commercial lists, we need to
extend our reach to as wide a range of people as possible. I have been
campaigning for vendors to submit content to us for this reason.

> didn't the post on bugtraq say that the new mailing list has been build
> because securityfocus has gone commercial?

Yes. I fail to see the commercialism in allowing vendors to post their
advisories. We're not making anything from it, and I doubt they are either.

Our original statement was questioning whether a commercial entity could
operate a mailing list such as this and remain unbiased, and more
importantly, not profit from the information (and early access to it)
themselves.

All of the above are well-documented in the (draft) list charter, available
at http://lists.netsys.com/full-disclosure-charter.html

- John


asd at suespammers

Jul 31, 2002, 5:44 AM

Post #4 of 5 (217 views)
Permalink
Re: Security Update: [CSSA-2002-032.0] Linux: temporary file races in libmm [In reply to]
On Wednesday, July 31, 2002, at 07:59 , Guy Cohen wrote:

> On Tue, Jul 30, 2002 at 06:20:54PM -0700, security [at] caldera wrote:
>> To: bugtraq [at] securityfocus announce [at] lists
>> security-alerts [at] linuxsecurity full-
>> disclosure [at] lists
>
> Isn't this list moderated?

I don't think so. Especially considering how quick your message
went through the list reflector. And especially with the
statement from the list home page: "We will try to operate this
list without moderation, as we feel moderation is an impediment
to communication."

>
> Why do all vendors suddenly want to spam us with tons of *useless*
> advisories,

Well, if you were running Caldera it wouldn't be that useless.
Or if you didn't already read the message on bugtraq/caldera's
announce list/etc.

And, of course, according to the list home page, the message is
on topic:
"This list is dedicated to full disclosure of any and all security
issues. Please feel free to discuss anything related to security."


Nigel.Metheringham at dev

Jul 31, 2002, 6:27 AM

Post #5 of 5 (217 views)
Permalink
Re: Security Update: [CSSA-2002-032.0] Linux: temporary file races in libmm [In reply to]
On Wed, 2002-07-31 at 13:24, John Cartwright wrote:
> We believe that the vendor notifications are useful information. To
> provide a viable alternative to other more commercial lists, we need to
> extend our reach to as wide a range of people as possible. I have been
> campaigning for vendors to submit content to us for this reason.

Personally I'd prefer the vendor notifications to be put on a parallel
list, because
1. A flurry of 100s of one-man-and-their-dog Linux distributions
announcing a security update obscures the real discussion
(especially as each announcement is in its own thread).
2. I already get (multiple) copies of this stuff. Save the
electrons, give me a chance to not duplicate to that extent.

[.Damn, we're back to list meta discussions - this is the most
introspective list I have ever been on :-) ]

Nigel.
--
[ Nigel Metheringham Nigel.Metheringham [at] InTechnology ]
[. - Comments in this message are my own and not ITO opinion/policy - ]

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.