From joey@infodrom.org Wed Dec 22 12:24:52 2004 From: Martin Schulze Resent-From: list@murphy.debian.org (SmartList) To: bugtraq@securityfocus.com Date: Wed, 22 Dec 2004 15:46:38 +0100 (CET) Reply-To: listadmin@securityfocus.com Subject: [SECURITY] [DSA 615-1] New debmake package fixes insecure temporary directories -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 615-1 security@debian.org http://www.debian.org/security/ Martin Schulze December 22nd, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : debmake Vulnerability : insecure temporary files Problem-Type : local Debian-specific: yes CVE ID : CAN-2004-1179 Debian Bug : 286382 Javier Fernández-Sanguino Peña noticed that the debstd script from debmake, a deprecated helper package for Debian packaging, created temporary directories in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the victim. For the stable distribution (woody) this problem has been fixed in version 3.6.10.woody.1. For the unstable distribution (sid) this problem has been fixed in version 3.7.7. We recommend that you upgrade your debmake package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/d/debmake/debmake_3.6.10.woody.1.dsc Size/MD5 checksum: 497 fcbfe41a644d608b165a1e21ac578115 http://security.debian.org/pool/updates/main/d/debmake/debmake_3.6.10.woody.1.tar.gz Size/MD5 checksum: 39960 9c32e99bb95f3d62d91fa613e282951a Architecture independent components: http://security.debian.org/pool/updates/main/d/debmake/debmake_3.6.10.woody.1_all.deb Size/MD5 checksum: 44572 b15c79fd0c73a2d665628092eee19027 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFByYjNW5ql+IAeqTIRAg3tAJ9ibU8Hur/a288d0VB1KMLtfarynwCfTDaf oiQi+11hvZI1lhnWkWqNegI= =bI9B -----END PGP SIGNATURE-----