----------------------------------------------------------------------- Immunix Secured OS Security Advisory Packages updated: fileutils Affected products: Immunix OS 7.0, 7+ Bugs fixed: CAN-2002-0435 Date: Fri May 16 2003 Advisory ID: IMNX-2003-7+-010-01 Author: Seth Arnold <sarnoldat_private> ----------------------------------------------------------------------- Description: Wojciech Purczynski discovered filesystem race conditions in the GNU fileutils suite, that allows for local root compromise if root renames or removes group- or world-writable directory trees. This release fixes this problem by comparing (dev, inode) pairs before and after chdir("..") calls. If the pairs don't match, an error is returned. Thanks to Jim Meyering for the patch. Package names and locations: Precompiled binary packages for Immunix 7+ are available at: http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fileutils-4.0x-3_imnx_1.i386.rpm A source package for Immunix 7+ is available at: http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/fileutils-4.0x-3_imnx_1.src.rpm Immunix OS 7+ md5sums: 14e6f08085ae88a6545d30c7428e30fd RPMS/fileutils-4.0x-3_imnx_1.i386.rpm cb75eca0cd9832c317a89d2cf0871847 SRPMS/fileutils-4.0x-3_imnx_1.src.rpm GPG verification: Our public key is available at <http://wirex.com/security/GPG_KEY>. NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html ImmunixOS 6.2 is no longer officially supported. ImmunixOS 7.0 is no longer officially supported. Contact information: To report vulnerabilities, please contact securityat_private WireX attempts to conform to the RFP vulnerability disclosure protocol <http://www.wiretrip.net/rfp/policy.html>.
This archive was generated by hypermail 2b30 : Fri May 16 2003 - 13:26:00 PDT