Otkriven je i ispravljen sigurnosni nedostatak u radu paketa rpmdevtools koji je omogućavao lokalnom zlonamjernom korisniku neovlaštenu promjenu datoteka.
Paket:
rpmdevtools 8.x
Operacijski sustavi:
Fedora 18
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
lokalno
Posljedica:
izmjena podataka
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-3500
Izvorni ID preporuke:
FEDORA-2012-13208
Izvor:
Fedora
Problem:
Problem se javlja prilikom korištenja "annotate-output" koji nepravilno rukuje trenutnim datotekama.
Posljedica:
Zlonamjerni lokalni korisnik mogao je iskoristiti nedostatak kako bi neovlašteno mijenjao datoteke drugih korisnika.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-13208
2012-09-03 17:17:53
--------------------------------------------------------------------------------
Name : rpmdevtools
Product : Fedora 18
Version : 8.3
Release : 1.fc18
URL : https://fedorahosted.org/rpmdevtools/
Summary : RPM Development Tools
Description :
This package contains scripts and (X)Emacs support files to aid in
development of RPM packages.
rpmdev-setuptree Create RPM build tree within user's home directory
rpmdev-diff Diff contents of two archives
rpmdev-newspec Creates new .spec from template
rpmdev-rmdevelrpms Find (and optionally remove) "development" RPMs
rpmdev-checksig Check package signatures using alternate RPM keyring
rpminfo Print information about executables and libraries
rpmdev-md5/sha* Display checksums of all files in an archive file
rpmdev-vercmp RPM version comparison checker
spectool Expand and download sources and patches in specfiles
rpmdev-wipetree Erase all files within dirs created by rpmdev-setuptree
rpmdev-extract Extract various archives, "tar xvf" style
rpmdev-bumpspec Bump revision in specfile
...and many more.
--------------------------------------------------------------------------------
Update Information:
Update to upstream version 8.3, fixing among other issues a symlink attack
possibility in annotate-output (CVE-2012-3500).
http://git.fedorahosted.org/cgit/rpmdevtools.git/tree/NEWS?id=HEAD
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #841043 - [PATCH] licensecheck "Public domain" output causes
truncation
https://bugzilla.redhat.com/show_bug.cgi?id=841043
[ 2 ] Bug #789330 - rpmdev-bumpspec is confused on mysql-workbench spec file
https://bugzilla.redhat.com/show_bug.cgi?id=789330
[ 3 ] Bug #828455 - rpmdev-newspec should use %make_install
https://bugzilla.redhat.com/show_bug.cgi?id=828455
[ 4 ] Bug #853452 - CVE-2012-3500 rpmdevtools: TOCTOU race condition in
annotate-output [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=853452
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update rpmdevtools' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke