(Immunix Issues a Fix) Re: ispell Spell Checker Package Allows Local Users to Overwrite Files on the System
|
|
SecurityTracker Alert ID: 1001810 |
|
SecurityTracker URL: http://securitytracker.com/id/1001810
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 22 2001
|
Impact:
Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
Red Hat reports that ispell contains a vulnerability that allows local users to execute symlink attacks to overwrite files on the host.
It is reported that the ispell program uses the mktemp() function to open temporary files, making it vulnerable to symlink attacks.
The vendor has released a new version that now uses mkstemp(), and also switches from gets() to fgets() in two locations dealing with user input. The patches for ispell are from OpenBSD.
|
Impact:
A local user can cause files on the host to be overwritten by ispell. It was not reported if the user can specify the exact contents to be written.
|
Solution:
Immunix has released a fix. See the Source Message for the Immunix advisory.
|
Vendor URL: www.redhat.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Immunix)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 21 Jun 2001 14:09:51 -0700
Subject: [Immunix-announce] ispell update -- Immunix OS 6.2
|
--pd495SECmvzXpBRb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: ispell
Affected products: Immunix OS 6.2
Bugs fixed: immunix/1616
Date: Thu Jun 21 2001
Advisory ID: IMNX-2001-62-004-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Jarno Huuskonen has found an unsafe use of mktemp(3) in ispell that
would make ispell vulnerable to symlink attacks. This patch, from
OpenBSD, fixes this problem as well as changing some uses of gets(3)
to fgets(3), fixing possible buffer overflows.
The symlink attacks would grant an attacker the ability to overwrite
files owned by the user executing ispell.
StackGuard would prevent any buffer overflow attacks from executing
code, though ispell would be killed in the event of such an attack.
References:
http://www.securityfocus.com/archive/1/188848
Package names and locations:
Precompiled binary packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-catalan-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-czech-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-danish-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-dicts-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-dutch-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-esperanto-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-french-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-german-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-greek-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-italian-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-norwegian-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-polish-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-portuguese-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-russian-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-spanish-3.1.20-27_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/ispell-swedish-3.1.20-27_StackGuard.i386.rpm
Source packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/ispell-3.1.20-27_StackGuard.src.rpm
Immunix OS 6.2 md5sums:
3d7dd8382ae5ac0df05a08b6b8f25072 RPMS/ispell-3.1.20-27_StackGuard.i386.rpm
989ed5759829e5e3622aaada7899bf24 RPMS/ispell-catalan-3.1.20-27_StackGuard.i386.rpm
51c7dc873c32e2ae981fd09c546c63fd RPMS/ispell-czech-3.1.20-27_StackGuard.i386.rpm
1b16c14b78d611a930b21016c1c20f84 RPMS/ispell-danish-3.1.20-27_StackGuard.i386.rpm
9fc5f6242c7820fe1f8058621684004e RPMS/ispell-dicts-3.1.20-27_StackGuard.i386.rpm
532e8991b26f19e61ba78ebc1847b952 RPMS/ispell-dutch-3.1.20-27_StackGuard.i386.rpm
c6e31c4f14e302513d776a796fba569f RPMS/ispell-esperanto-3.1.20-27_StackGuard.i386.rpm
a425269fe3d4c29035ac8f8fd854b4f8 RPMS/ispell-french-3.1.20-27_StackGuard.i386.rpm
1f444d6124f1b9a85e618ab6887d3a43 RPMS/ispell-german-3.1.20-27_StackGuard.i386.rpm
d644511358d0759e553fedf581abcc90 RPMS/ispell-greek-3.1.20-27_StackGuard.i386.rpm
d389aaa99053cb244f6324f8355cd332 RPMS/ispell-italian-3.1.20-27_StackGuard.i386.rpm
f917a32cf5a0decb0741f49c762e25ee RPMS/ispell-norwegian-3.1.20-27_StackGuard.i386.rpm
9f1bb17154a0bfb227dfe2e399d33795 RPMS/ispell-polish-3.1.20-27_StackGuard.i386.rpm
af533b2ea13573bd282903d688c042a9 RPMS/ispell-portuguese-3.1.20-27_StackGuard.i386.rpm
95bd7463ade2d6fd0ef5fbeb987dcd10 RPMS/ispell-russian-3.1.20-27_StackGuard.i386.rpm
7c79611673969d4e237a8a82192a7846 RPMS/ispell-spanish-3.1.20-27_StackGuard.i386.rpm
1d15e518ba871db16a1d789121087139 RPMS/ispell-swedish-3.1.20-27_StackGuard.i386.rpm
8102deef0b0a873227e78ee9ead5e617 SRPMS/ispell-3.1.20-27_StackGuard.src.rpm
GPG verification:
Our public key is available at <http://wirex.com/security/GPG_KEY>.
*** NOTE *** This key is different from the one used in advisories
IMNX-2001-70-020-01 and earlier.
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--pd495SECmvzXpBRb
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjsyYp4ACgkQVQcWL60UVMs3YACfQj69OvWnHbaGfNjxI7kj/79T
EbsAoJI+qh+Ju0MVVELkRHAly1LyGzZ3
=BCUv
-----END PGP SIGNATURE-----
--pd495SECmvzXpBRb--
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
|
|
