Bugtraq mailing list archives
Re: SECURITY: groff, rhs-printfilters, tetex, metamail fixes
From: saw () MSU RU (Savochkin Andrey Vladimirovich)
Date: Sat, 25 Oct 1997 11:52:32 +0400
Gentlemen! Red Hat just announced security fixes in several packages.
Numerous security holes have recentely been fixed. Only one of these is at all serious, most are minor problems with possible /tmp exploits. These fixes apply to all users of Red Hat 4.x releases. Similiar fixes for the Thunderbird and Mustang beta glibc releases will show up in the devel tree on ftp.redhat.com overnight. Note that many of these fixes now require the mktemp package, which is also available as an update for Red Hat 4.2. Erik i386 - ---- rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/groff-1.10-8.1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/metamail-2.7-7.1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/mktemp-0.9-1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/rhs-printfilters-1.41.1-1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/tetex-dvips-0.4pl8-5.1.i386.rpm
[...] Ugly temporary file creation allowing any user in the system trash any file of other users of the system are surely only "minor" problems. It isn't matter. Now this kind of problems was fixed for metamail and tetex and it's VERY COOL. You can look yourself what is changed in these packages. If you find lines like mkdir /tmp/decode.$$ cd /tmp/decode.$$ in /usr/bin/sun-message.csh don't trust your eyes: the problem was declared to be fixed! [Hint to Erik: compare the set of patches declared in the head of your spec file and the set of really applied ones :-> ] BTW: Do you consider ugly temporary file creation dangerous only in dvi-to-ps.fpi or in other scripts too? Run grep ^TEMPDIR /usr/bin/MakeTeX{PK,TFM,MF}. Best regards, Andrey V. Savochkin
Current thread:
- Re: SECURITY: groff, rhs-printfilters, tetex, metamail fixes Savochkin Andrey Vladimirovich (Oct 25)