Full Disclosure mailing list archives
Security Update: [CSSA-2002-045.0] Linux: python insecure temporary files in os._execvpe
From: security () caldera com
Date: Thu, 14 Nov 2002 14:22:51 -0800
To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com full-disclosure ()
lists netsys com
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: python insecure temporary files in os._execvpe
Advisory number: CSSA-2002-045.0
Issue date: 2002 November 14
Cross reference:
______________________________________________________________________________
1. Problem Description
os._execvpe from os.py in Python creates temporary files with
predictable names, which could allow local users to execute
arbitrary code via a symlink attack.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to python-1.5.2-23.i386.rpm
prior to python-devel-1.5.2-23.i386.rpm
prior to python-docs-1.5.2-23.i386.rpm
prior to python-tools-1.5.2-23.i386.rpm
OpenLinux 3.1.1 Workstation prior to python-1.5.2-23.i386.rpm
prior to python-devel-1.5.2-23.i386.rpm
prior to python-docs-1.5.2-23.i386.rpm
prior to python-tools-1.5.2-23.i386.rpm
OpenLinux 3.1 Server prior to python-1.5.2-23.i386.rpm
prior to python-devel-1.5.2-23.i386.rpm
prior to python-docs-1.5.2-23.i386.rpm
prior to python-tools-1.5.2-23.i386.rpm
OpenLinux 3.1 Workstation prior to python-1.5.2-23.i386.rpm
prior to python-devel-1.5.2-23.i386.rpm
prior to python-docs-1.5.2-23.i386.rpm
prior to python-tools-1.5.2-23.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-045.0/RPMS
4.2 Packages
d02a87d515a2e0295b61a70e21d85d67 python-1.5.2-23.i386.rpm
f026986740ce3b24aa75a6ef6d6f813d python-devel-1.5.2-23.i386.rpm
a4d8a3a8a6011f4d87d1a3c3e75150d1 python-docs-1.5.2-23.i386.rpm
6283c3abfb5a339d6f3c8e1b2b0304fc python-tools-1.5.2-23.i386.rpm
4.3 Installation
rpm -Fvh python-1.5.2-23.i386.rpm
rpm -Fvh python-devel-1.5.2-23.i386.rpm
rpm -Fvh python-docs-1.5.2-23.i386.rpm
rpm -Fvh python-tools-1.5.2-23.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-045.0/SRPMS
4.5 Source Packages
3041180ed79446f6a8cd8cfedff00c26 python-1.5.2-23.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-045.0/RPMS
5.2 Packages
6d2e343894471d4a93526a50e58af0a0 python-1.5.2-23.i386.rpm
b6deb353e9a98e9b0e340e8b477a824a python-devel-1.5.2-23.i386.rpm
7add35e7aef1386039852737a86ddbee python-docs-1.5.2-23.i386.rpm
6171e897385c76edf00c0e02f08347cf python-tools-1.5.2-23.i386.rpm
5.3 Installation
rpm -Fvh python-1.5.2-23.i386.rpm
rpm -Fvh python-devel-1.5.2-23.i386.rpm
rpm -Fvh python-docs-1.5.2-23.i386.rpm
rpm -Fvh python-tools-1.5.2-23.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-045.0/SRPMS
5.5 Source Packages
0ab0a2c193ec4031d706648ab2b3b9d1 python-1.5.2-23.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-045.0/RPMS
6.2 Packages
d294fd2d394f464e21866a08e0023b08 python-1.5.2-23.i386.rpm
4c17a3b0bc297dd2efe5cd1857894ac7 python-devel-1.5.2-23.i386.rpm
ed4acb8309c022ed86ca6f70d6a76977 python-docs-1.5.2-23.i386.rpm
3fc021186ac2ff05af448c945481a6d5 python-tools-1.5.2-23.i386.rpm
6.3 Installation
rpm -Fvh python-1.5.2-23.i386.rpm
rpm -Fvh python-devel-1.5.2-23.i386.rpm
rpm -Fvh python-docs-1.5.2-23.i386.rpm
rpm -Fvh python-tools-1.5.2-23.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-045.0/SRPMS
6.5 Source Packages
fd76ce8a916c54b2bb39c59dfab108ab python-1.5.2-23.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-045.0/RPMS
7.2 Packages
63778bc0ecd4b9d0bea8d13f0c8f6675 python-1.5.2-23.i386.rpm
e0321c8e207b61596f0a229c5a39d637 python-devel-1.5.2-23.i386.rpm
c990c27494f5be2197d04a9547e7fa6b python-docs-1.5.2-23.i386.rpm
8af51bc909042691f3578fcc5c3e2ca2 python-tools-1.5.2-23.i386.rpm
7.3 Installation
rpm -Fvh python-1.5.2-23.i386.rpm
rpm -Fvh python-devel-1.5.2-23.i386.rpm
rpm -Fvh python-docs-1.5.2-23.i386.rpm
rpm -Fvh python-tools-1.5.2-23.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-045.0/SRPMS
7.5 Source Packages
9dcbab4cbf814be8291b5a68241176f2 python-1.5.2-23.src.rpm
8. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr868648, fz525980,
erg712115.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
______________________________________________________________________________
Attachment:
_bin
Description:
Current thread:
- Security Update: [CSSA-2002-045.0] Linux: python insecure temporary files in os._execvpe security (Nov 14)