Date: 13 January 2005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0028 -- Debian Security Advisory DSA 636-1
New libc6 packages fix insecure temporary files
13 January 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: glibc
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux variants
Impact: Overwrite Arbitrary Files
Access: Existing Account
CVE Names: CAN-2004-0968
Original Bulletin: http://www.debian.org/security/2005/dsa-636
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 636-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 12th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : glibc
Vulnerability : insecure temporary files
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0968
BugTraq ID : 11286
Debian Bug : 279680 278278 205600
Several insecure uses of temporary files have been discovered in
support scripts in the libc6 package which provices the c library for
a GNU/Linux system. Trustix developers found that the catchsegv
script uses temporary files insecurely. Openwall developers
discovered insecure temporary files in the glibcbug script. These
scripts are vulnerable to a symlink attack.
For the stable distribution (woody) these problems have been fixed in
version 2.2.5-11.8.
For the unstable distribution (sid) these problems have been fixed in
version 2.3.2.ds1-20.
We recommend that you upgrade your libc6 package.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/glibc/glibc_2.2.5-11.8.dsc
Size/MD5 checksum: 1458 bc2b80a7f76bbf4243fa86f5245f5a50
http://security.debian.org/pool/updates/main/g/glibc/glibc_2.2.5-11.8.diff.gz
Size/MD5 checksum: 399970 4e1576598f13f2a628b3eef2c9bcdc48
http://security.debian.org/pool/updates/main/g/glibc/glibc_2.2.5.orig.tar.gz
Size/MD5 checksum: 11370961 bf5653fdff22ee350bd7d48047cffab9
Architecture independent components:
http://security.debian.org/pool/updates/main/g/glibc/glibc-doc_2.2.5-11.8_all.deb
Size/MD5 checksum: 2699182 c7a50fe321349d3593a8aa14a1a2c86a
http://security.debian.org/pool/updates/main/g/glibc/locales_2.2.5-11.8_all.deb
Size/MD5 checksum: 3387990 8aaa9b854416e5a6e9b1a65b1bf7ea62
Alpha architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6.1_2.2.5-11.8_alpha.deb
Size/MD5 checksum: 4557986 2a37871e21fdb5a514d09110814d43b5
http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dbg_2.2.5-11.8_alpha.deb
Size/MD5 checksum: 1351232 def6755e17e3bc9384f9fa2c0d568b55
http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dev_2.2.5-11.8_alpha.deb
Size/MD5 checksum: 2981066 41abb2fe30295e762110e4e065c9e188
http://security.debian.org/pool/updates/main/g/glibc/libc6.1-pic_2.2.5-11.8_alpha.deb
Size/MD5 checksum: 1321546 f41b8bce8503579888203ac22c866344
http://security.debian.org/pool/updates/main/g/glibc/libc6.1-prof_2.2.5-11.8_alpha.deb
Size/MD5 checksum: 1538778 526584f3262d17309a68b1c8f8888ae6
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_alpha.deb
Size/MD5 checksum: 69866 b7135768c78ffff5f453a3027e811d8b
ARM architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_arm.deb
Size/MD5 checksum: 3686218 05ab21bcfd365fd6e56f6745eb0005fd
http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_arm.deb
Size/MD5 checksum: 2767406 c5d453caa9030ebf82023e3ded3ff844
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_arm.deb
Size/MD5 checksum: 2863418 4bf8522f010cc826fd494e8deac0a504
http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_arm.deb
Size/MD5 checksum: 1182298 6197804eeb01e05a195b4360115cb19d
http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_arm.deb
Size/MD5 checksum: 1282776 557442af8531a7dccf5ed38865edfac1
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_arm.deb
Size/MD5 checksum: 59674 c191744f43225bc100f127267dbbd38b
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_i386.deb
Size/MD5 checksum: 3383144 143978addc25816d4da0e850549a17fb
http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_i386.deb
Size/MD5 checksum: 2433964 efb2d99d347c2bd1f7a0904c1df18201
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_i386.deb
Size/MD5 checksum: 2390882 78374bee4d59301db2ef508c44517260
http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_i386.deb
Size/MD5 checksum: 841904 509a1fb214b2880222014ed345ae0b5b
http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_i386.deb
Size/MD5 checksum: 936090 6580c4efcd07515f68cc557a5daeb595
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_i386.deb
Size/MD5 checksum: 59370 07ce697d3001a44f9f69bd821cb4cd4a
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6.1_2.2.5-11.8_ia64.deb
Size/MD5 checksum: 4438400 92d599315311e05a48512c09a392aa0e
http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dbg_2.2.5-11.8_ia64.deb
Size/MD5 checksum: 8369602 901aa7a7845578ae6c85ccced230924b
http://security.debian.org/pool/updates/main/g/glibc/libc6.1-dev_2.2.5-11.8_ia64.deb
Size/MD5 checksum: 3546980 2508ffbed6680d16324fc2948b08e73a
http://security.debian.org/pool/updates/main/g/glibc/libc6.1-pic_2.2.5-11.8_ia64.deb
Size/MD5 checksum: 1366172 7cc362b3711521d6f5d1b197f7a8b045
http://security.debian.org/pool/updates/main/g/glibc/libc6.1-prof_2.2.5-11.8_ia64.deb
Size/MD5 checksum: 1638402 f5294fe899e09f7fecbef931110d8d50
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_ia64.deb
Size/MD5 checksum: 69942 a79f9355cd77c4eaadbca7662f618c6a
HP Precision architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_hppa.deb
Size/MD5 checksum: 4171374 01206d5d4970e85ba0f3ced021f0be87
http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_hppa.deb
Size/MD5 checksum: 3060876 3005ba0066bde9cb5b8a4acf322e236a
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_hppa.deb
Size/MD5 checksum: 2897412 30a3ee4e876c8e5fbd8f8337c95876c1
http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_hppa.deb
Size/MD5 checksum: 1280802 460366989b573c75bf6a87ad0ff12271
http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_hppa.deb
Size/MD5 checksum: 1445874 15abac5f1a0ba739fe92a866b9f05e9c
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_hppa.deb
Size/MD5 checksum: 62782 180e79bd7cad42a5bfc8dfc1ff898fdc
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_m68k.deb
Size/MD5 checksum: 3506132 6944762f2008e8455f6116d01e00712f
http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_m68k.deb
Size/MD5 checksum: 2430672 eb8ed07f4979afa684fc0c13e0aa1608
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_m68k.deb
Size/MD5 checksum: 2284400 5c51d36868f57600a481e53259733d69
http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_m68k.deb
Size/MD5 checksum: 731902 187dddf8ea4bc4404ad1a62b276c8b24
http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_m68k.deb
Size/MD5 checksum: 839298 e97e9b57d6fd2dea774ae33739a5486e
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_m68k.deb
Size/MD5 checksum: 58264 75601dccba26cb706ed8caa53ea25a7e
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_mips.deb
Size/MD5 checksum: 3864828 c9a688e83c24c9098b50602b63e777c4
http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_mips.deb
Size/MD5 checksum: 3846450 4d9aa1133ea550814b553f19ccace4e8
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_mips.deb
Size/MD5 checksum: 3020726 08425a684bd8b8b363351c099fcec37f
http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_mips.deb
Size/MD5 checksum: 1204310 38a52a2e0807bb3400f4d0109cb59609
http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_mips.deb
Size/MD5 checksum: 1358842 5de4e0fea3ca4d405bf3f718a54a87f4
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_mips.deb
Size/MD5 checksum: 61308 50ff02f524d05c3cbb5ba261feedad93
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_mipsel.deb
Size/MD5 checksum: 3732104 7c6bca23f53680184c58b5242e849243
http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_mipsel.deb
Size/MD5 checksum: 3753524 d54f0987fd3f4c498ca1b3c68967046f
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_mipsel.deb
Size/MD5 checksum: 2990830 4b535ca534ebf3f4ab72fd22ae217257
http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_mipsel.deb
Size/MD5 checksum: 1198340 7a25bfbf8be5a06fe49ab1c60e3e1aa3
http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_mipsel.deb
Size/MD5 checksum: 1353312 fb493b6a38d0c1c3c3d8ba4ac6445d8c
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_mipsel.deb
Size/MD5 checksum: 61278 be5ad77f538097518a61bacfdb43f6f1
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_powerpc.deb
Size/MD5 checksum: 3980286 2e30f4f5b255e02cb1c3ccd5b903ee5c
http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_powerpc.deb
Size/MD5 checksum: 2870050 ae157ed4b6887b1cbe7c8e96031cdc50
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_powerpc.deb
Size/MD5 checksum: 2821732 28fefa99550df3ea8669fef5d673ac87
http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_powerpc.deb
Size/MD5 checksum: 1148836 31be5ee73ab206a6b1478b1774b3c1bc
http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_powerpc.deb
Size/MD5 checksum: 1343770 4c7ad144576df8cf7ec0600dc3db1b7a
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_powerpc.deb
Size/MD5 checksum: 60310 b8231054deac769a91262010fd20ec8c
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_s390.deb
Size/MD5 checksum: 3937552 0a06a0800512d0c8c498dc73407e74d5
http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_s390.deb
Size/MD5 checksum: 1229312 11ef3b4b76a1d11e08b61313e2eb5ace
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_s390.deb
Size/MD5 checksum: 2624946 a7dd12533f70a9b84e7dc4d5f6ce6004
http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_s390.deb
Size/MD5 checksum: 1108534 881dc7501c54073766949a47f8060e15
http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_s390.deb
Size/MD5 checksum: 1187536 e504a04c00f655373e573f55a82e12d7
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_s390.deb
Size/MD5 checksum: 61312 06d072845af84ffb1487e0eb75c5bfab
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/glibc/libc6_2.2.5-11.8_sparc.deb
Size/MD5 checksum: 3863658 bc662d54a4174a3de369d3defeec2e4d
http://security.debian.org/pool/updates/main/g/glibc/libc6-dbg_2.2.5-11.8_sparc.deb
Size/MD5 checksum: 2816612 ec8f0d6d5e23e27446eaf43d840098a5
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev_2.2.5-11.8_sparc.deb
Size/MD5 checksum: 2764334 f35d4dce282125476a800a0f79017a55
http://security.debian.org/pool/updates/main/g/glibc/libc6-dev-sparc64_2.2.5-11.8_sparc.deb
Size/MD5 checksum: 1631776 798a588c7f300c0025d4b3b298d616b5
http://security.debian.org/pool/updates/main/g/glibc/libc6-pic_2.2.5-11.8_sparc.deb
Size/MD5 checksum: 1146738 a681d60dc0a75f0d30a1a274842a86b1
http://security.debian.org/pool/updates/main/g/glibc/libc6-prof_2.2.5-11.8_sparc.deb
Size/MD5 checksum: 1258388 551ef7b7b149e288c90e53fec19073e5
http://security.debian.org/pool/updates/main/g/glibc/libc6-sparc64_2.2.5-11.8_sparc.deb
Size/MD5 checksum: 4184798 9d62c1f3dfc942e8c41e4e3954dc712d
http://security.debian.org/pool/updates/main/g/glibc/nscd_2.2.5-11.8_sparc.deb
Size/MD5 checksum: 60220 0067b2de58cfd2663380220a489706c0
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB5TN6W5ql+IAeqTIRAv+gAJ9wIt390sMEDVourQbGRh02Pmi5gQCfdx5g
FDQWPYEtQ/L0GidjvQq3XWM=
=nraA
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQeXJvih9+71yA2DNAQIYOgP/aRnlTydiN0Vguu4DALx/YBi0XbHjeqNk
8mBb/uAKfWtQwfoMaUp01WZpuNYENpQdXxtECLC+iprOiOC/BWNb+FZLzjbjalBj
PhoG+kNkqVaEMEoe6dy10bB9qUhAGYl56mNH8Q2v6gGj+YLkcvMgrSOXhc/SzAZu
BcxZjFVvFSQ=
=gDBH
-----END PGP SIGNATURE-----
|