[ESA-20010509-01] pine temporary file handling vulnerabilities

From: EnGarde Secure Linux (securityat_private)
Date: Sun May 27 2001 - 13:22:17 PDT

Next message: andreas junestam: "def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS"

Previous message: ByteRage: "CesarFTP v0.98b triple dot Directory Traversal / Weak password encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                    May 23, 2001 |
| http://www.engardelinux.org/                           ESA-20010509-01 |
|                                                                        |
| Package:  pine                                                         |
| Summary:  pine temporary file handling problems                        |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  There are various temporary file handling problems in the version of
  pine which shipped with EnGarde Secure Linux version 1.0.1.


DETAIL
- ------
  All versions of the pine email client and the pico text editor have
  temporary file handling problems.  Any local user can potentially
  overwrite any file on the system, including those belonging to root.
  These bugs have been fixed in this update.

  There were also some non-security bugs in the pinepgp helper programs
  which have been resolved with this updated package.


SOLUTION
- --------
  All users running pine should upgrade to the most recent version,
  as outlined in this advisory.  All updates can be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  To install the updated package, execute the command:

    rpm -Uvh <filename>

  To verify the signature of the updated packages, execute the command:

    rpm -Kv <filename>


UPDATED PACKAGES
- ----------------

  Source Packages:

    SRPMS/pine-4.33-1.0.5.src.rpm
      MD5 Sum:  42c27633af1ad224046dd098d5564eb5

  Binary Packages:

    i386/pine-4.33-1.0.5.i386.rpm
      MD5 Sum:  6e2a3db38bd02ccf4ef60dfe8e343814

    i686/pine-4.33-1.0.5.i686.rpm
      MD5 Sum:  9c99552c6caa037594504cf2f3f3eea1


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  pine's official web site:
    http://www.washington.edu/pine/


- ----------------------------------------------------------------------------
$Id: 2001.05.09-pine,v 1.1 2001/05/09 14:09:24 rwm Exp $
- ----------------------------------------------------------------------------
Author: Ryan W. Maple, <ryanat_private> 
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7EWICHD5cqd57fu0RAp36AJ9ye+mmifeJRljxXESHL8wXPiRsoQCeMGos
2kqbnrodS5ozWtrUYDlVWVM=
=KrUb
-----END PGP SIGNATURE-----

Next message: andreas junestam: "def-2001-27: GuildFTPD Buffer Overflow and Memory Leak DoS"
Previous message: ByteRage: "CesarFTP v0.98b triple dot Directory Traversal / Weak password encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 28 2001 - 09:44:48 PDT