From marcdeslauriers@videotron.ca Sun Nov 13 23:18:13 2005 From: Marc Deslauriers To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Date: Sun, 13 Nov 2005 23:17:43 -0500 Subject: [Full-disclosure] [FLSA-2005:152848] Updated glibc packages fix security issues --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated glibc packages fix security issues Advisory ID: FLSA:152848 Issue date: 2005-11-13 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0968 CVE-2004-1382 CVE-2004-1453 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated glibc packages that address several bugs are now available. The GNU libc packages (known as glibc) contain the standard C libraries used by applications. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Flaws in the catchsegv and glibcbug scripts were discovered. A local user could utilize these flaws to overwrite files via a symlink attack on temporary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0968 and CVE-2004-1382 to these issues. It was discovered that the use of LD_DEBUG and LD_SHOW_AUXV were not restricted for a setuid program. A local user could utilize this flaw to gain information, such as the list of symbols used by the program. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1453 to this issue. Users of glibc are advised to upgrade to these erratum packages that remove the unecessary glibcbug script and contain backported patches to correct these other issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152848 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.6.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.6.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.2.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/nscd-2.3.2-27.9.7.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/glibc-2.3.2-101.4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i686.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-common-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-debug-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-devel-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-headers-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-profile-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-utils-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/nptl-devel-2.3.2-101.4.2.legacy.i686.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/nscd-2.3.2-101.4.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/glibc-2.3.3-27.1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i686.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-common-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-devel-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-headers-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-profile-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-utils-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/nptl-devel-2.3.3-27.1.1.legacy.i686.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/nscd-2.3.3-27.1.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 76bcec5fdd862df2fffaeeaeacbfcd8c53dd6a28 redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i386.rpm 79dd43763e464959889867bb5f28c0935d31e401 redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i686.rpm f83509fe544e517cfa5f40829b2921155eed6930 redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.6.i386.rpm a4065db0ddfcec1a95dade4756b7af76da487059 redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i386.rpm a88e249e0747927d7b0607f24202f4772c2f5f51 redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i686.rpm bbd6858e1409960769b945af03f13e0732b35ec2 redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.6.i386.rpm 4f76f3f2267edb91ac130ad18942b34741314914 redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.6.i386.rpm 3996fc2d6e306a127d03d468bde83e821b6ca2f9 redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.6.i386.rpm 2916fbe09c40b3961add814aaebda7e651799342 redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.6.i386.rpm 2250cf7ccb19268cc5b103d17512f877a1e9756d redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.6.i386.rpm d3178ba384c31d0e4b53b7c79f8c1f3d4f2e63c2 redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.6.src.rpm 6b01d43cc41177a83c765862be0e3802df307c61 redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i386.rpm b4c28abc5d318f53f22772bc069665adc4f9d5f3 redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i686.rpm 8ea462b77d16513f0623409219cb297fa95fe6ba redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.2.legacy.i386.rpm 94c1f526eed545959a9b60ac79deef88c0c5c9a0 redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.2.legacy.i386.rpm b8fe3480b249761c468d4019c3b9ac0358068475 redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.2.legacy.i386.rpm a01030615e5b874b4225e9cad4e1c9ccc2f4bb33 redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.2.legacy.i386.rpm d20ce4f39ed7ffc6c8cb81c8a84b229a2158d81e redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.2.legacy.i386.rpm e20b1e22cfbc1c0eed675b6b6d99ca8d0213f725 redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.2.legacy.i686.rpm 8684b6e78d7230f8708e5e2a016264baf6ab7ac7 redhat/9/updates/i386/nscd-2.3.2-27.9.7.2.legacy.i386.rpm 5afb7ec9ec9f9b3bb36d372104ec647d7c6d9ebb redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.2.legacy.src.rpm ef743504f28c797cd9a807dd8a769a837eda8525 fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i386.rpm c3dd3abcc811671d63f6033e3ed3ee9806ad0f93 fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i686.rpm cf814c1e573db45e76b63bce49b40876fdd42e28 fedora/1/updates/i386/glibc-common-2.3.2-101.4.2.legacy.i386.rpm 4af7cb248abe614adace704520ab969717d8056b fedora/1/updates/i386/glibc-debug-2.3.2-101.4.2.legacy.i386.rpm 00809ff8abcf096091592e065dbc859a1fc413bd fedora/1/updates/i386/glibc-devel-2.3.2-101.4.2.legacy.i386.rpm 8417a8697d7929e866cd48be44bcd4e9b29ef8a2 fedora/1/updates/i386/glibc-headers-2.3.2-101.4.2.legacy.i386.rpm 309bb357b23d00d858b73a132af556862ce735fc fedora/1/updates/i386/glibc-profile-2.3.2-101.4.2.legacy.i386.rpm c7add2f20742acab29c47ec7f42bc789d6111aec fedora/1/updates/i386/glibc-utils-2.3.2-101.4.2.legacy.i386.rpm 5108e73e4fce7fda4c383a5f4a360a2ec3632a4e fedora/1/updates/i386/nptl-devel-2.3.2-101.4.2.legacy.i686.rpm ca70e82a96ad014145357feb9b8b3222314afd7e fedora/1/updates/i386/nscd-2.3.2-101.4.2.legacy.i386.rpm 30cec9b26bb5341afbb6b7698b3c092e395acb65 fedora/1/updates/SRPMS/glibc-2.3.2-101.4.2.legacy.src.rpm 9ea2cf3d307635ed6be265077ec9594d73030c71 fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i386.rpm 120833cba0615427157a51f69a6e73403f788667 fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i686.rpm d3c27007cab83e778ba7ba5c752077b865c7d618 fedora/2/updates/i386/glibc-common-2.3.3-27.1.1.legacy.i386.rpm ccc5d22e66a7c435b0e1008704ee16856e4717ec fedora/2/updates/i386/glibc-devel-2.3.3-27.1.1.legacy.i386.rpm b11bd48eee48b1b2fd6cc9d52bbbc01247533bb0 fedora/2/updates/i386/glibc-headers-2.3.3-27.1.1.legacy.i386.rpm 2a3c79e2f428742dfef1f15a1bbc64a80c48491e fedora/2/updates/i386/glibc-profile-2.3.3-27.1.1.legacy.i386.rpm 081977a5f9cd0812cd1db6230ff51782d17c83e0 fedora/2/updates/i386/glibc-utils-2.3.3-27.1.1.legacy.i386.rpm be2cc7c357c799a8ad8288e3c99d9c53ea89692e fedora/2/updates/i386/nptl-devel-2.3.3-27.1.1.legacy.i686.rpm d1a9e1c189d58b74a318dd1908cf6b9c0202ac9b fedora/2/updates/i386/nscd-2.3.3-27.1.1.legacy.i386.rpm baafd5d75a788cc578f24fb83280052f3b8422db fedora/2/updates/SRPMS/glibc-2.3.3-27.1.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1453 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- [ Part 1.2, "OpenPGP digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/