Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MDKSA-2005:089 - Updated cdrdao packages fix local root vulnerability
From: Mandriva Security Team <security () mandriva com>
Date: Wed, 18 May 2005 22:24:48 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           cdrdao
 Advisory ID:            MDKSA-2005:089
 Date:                   May 18th, 2005

 Affected versions:      10.0, 10.1, 10.2, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 The cdrdao package contains two vulnerabilities; the first allows local
 users to read arbitrary files via the show-data command and the second
 allows local users to overwrite arbitrary files via a symlink attack on
 the ~/.cdrdao configuration file.  This can also lead to elevated
 privileges (a root shell) due to cdrdao being installed suid root.
 
 The provided packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0137
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0138
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 1b7ae1dad185d083ed25987ccce21ad0  10.0/RPMS/cdrdao-1.1.8-2.2.100mdk.i586.rpm
 87a92365c35931b3023188da4089c482  10.0/RPMS/cdrdao-gcdmaster-1.1.8-2.2.100mdk.i586.rpm
 0fd4754121b926a84fae47bf1e4c6133  10.0/SRPMS/cdrdao-1.1.8-2.2.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 cea5f48ae2bcc67e161da98e41b55134  amd64/10.0/RPMS/cdrdao-1.1.8-2.2.100mdk.amd64.rpm
 c8b85327b50ebb68e3fab34476b1b3cb  amd64/10.0/RPMS/cdrdao-gcdmaster-1.1.8-2.2.100mdk.amd64.rpm
 0fd4754121b926a84fae47bf1e4c6133  amd64/10.0/SRPMS/cdrdao-1.1.8-2.2.100mdk.src.rpm

 Mandrakelinux 10.1:
 61ab4f7af380c2b46acac4dcfa1f893a  10.1/RPMS/cdrdao-1.1.9-6.1.101mdk.i586.rpm
 9c8463a1c170c1b189e0dd9a68be07d9  10.1/RPMS/cdrdao-gcdmaster-1.1.9-6.1.101mdk.i586.rpm
 050a81b90551f9ef454904e55a160a9d  10.1/SRPMS/cdrdao-1.1.9-6.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 a2424f9595ddcb10aca667a35523ae20  x86_64/10.1/RPMS/cdrdao-1.1.9-6.1.101mdk.x86_64.rpm
 ce08ea93c55311d7585dcf72d62add3a  x86_64/10.1/RPMS/cdrdao-gcdmaster-1.1.9-6.1.101mdk.x86_64.rpm
 050a81b90551f9ef454904e55a160a9d  x86_64/10.1/SRPMS/cdrdao-1.1.9-6.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 b073077b108528d1ceed5681acf46f8c  10.2/RPMS/cdrdao-1.1.9-7.1.102mdk.i586.rpm
 0077a3948564abc01ab2dc935268b443  10.2/RPMS/cdrdao-gcdmaster-1.1.9-7.1.102mdk.i586.rpm
 cb1265c4a12964fa5fbf42a7fb2361df  10.2/SRPMS/cdrdao-1.1.9-7.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 0f3eeec0e097087dd4b15dc89ccea21f  x86_64/10.2/RPMS/cdrdao-1.1.9-7.1.102mdk.x86_64.rpm
 c573c4ff16b3b0c9bf68467d5cfc347b  x86_64/10.2/RPMS/cdrdao-gcdmaster-1.1.9-7.1.102mdk.x86_64.rpm
 cb1265c4a12964fa5fbf42a7fb2361df  x86_64/10.2/SRPMS/cdrdao-1.1.9-7.1.102mdk.src.rpm

 Corporate 3.0:
 406191468856946e82d195204855a05f  corporate/3.0/RPMS/cdrdao-1.1.8-2.2.C30mdk.i586.rpm
 768b911c0d220197ad43f351b91e1c9c  corporate/3.0/RPMS/cdrdao-gcdmaster-1.1.8-2.2.C30mdk.i586.rpm
 70d8a7e69f725875da71507ebc7c2447  corporate/3.0/SRPMS/cdrdao-1.1.8-2.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 e97c0cd16db006ebc56e7b339c4eccc9  x86_64/corporate/3.0/RPMS/cdrdao-1.1.8-2.2.C30mdk.x86_64.rpm
 e1f6f75a51182be5155dc204abbbf188  x86_64/corporate/3.0/RPMS/cdrdao-gcdmaster-1.1.8-2.2.C30mdk.x86_64.rpm
 70d8a7e69f725875da71507ebc7c2447  x86_64/corporate/3.0/SRPMS/cdrdao-1.1.8-2.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCjBUQmqjQ0CJFipgRAjzeAJ9cTiaucpnqaW4JIyQgqiDAGRNfZQCg29j5
pTU5kh/+QTwHzbHNURqbPpE=
=X3bG
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • MDKSA-2005:089 - Updated cdrdao packages fix local root vulnerability Mandriva Security Team (May 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault