From: Mandriva Security Team <security@mandriva.com.>
To: [email protected]Subject: MDKSA-2005:077 - Updated cdrecord packages fix vulnerability
Message-Id: <E1DOVw9-000145-2j@mercury.mandriva.com.>
Sender: QATeam User <qateam@mercury.mandriva.com.>
Date: Thu, 21 Apr 2005 01:17:21 -0600
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: cdrecord
Advisory ID: MDKSA-2005:077
Date: April 20th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
Javier Fernandez-Sanguino Pena discovered that cdrecord created
temporary files in an insecure manner if DEBUG was enabled in
/etc/cdrecord/rscsi. If the default value was used (which stored
the debug output file in /tmp), a symbolic link attack could be used
to create or overwrite arbitrary files with the privileges of the
user invoking cdrecord. Please note that by default this configuration
file does not exist in Mandriva Linux so unless you create it and
enable DEBUG, this does not affect you.
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0866http://bugs.debian.org/291376
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
b76b1f88a021c51f2ed0e01e1655cced 10.0/RPMS/cdrecord-2.01-0.a28.3.100mdk.i586.rpm
647980c29121e4cb656e0786007e6e5c 10.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.100mdk.i586.rpm
31e3ed2e746db7f53914d063c4cb1ad0 10.0/RPMS/cdrecord-devel-2.01-0.a28.3.100mdk.i586.rpm
7715dc6d38cf9f89be7ec823ce3ae80a 10.0/RPMS/mkisofs-2.01-0.a28.3.100mdk.i586.rpm
ba546809bbddf8d3034e19a9eb7b302d 10.0/SRPMS/cdrecord-2.01-0.a28.3.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
1bc7d6c833f4457fd95f17f98d79015a amd64/10.0/RPMS/cdrecord-2.01-0.a28.3.100mdk.amd64.rpm
1ddb746abc3a1330b4807a024b3ca9ee amd64/10.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.100mdk.amd64.rpm
ddf466f2357364d42486693b4532240f amd64/10.0/RPMS/cdrecord-devel-2.01-0.a28.3.100mdk.amd64.rpm
e899df2f7be3e50b0bd59aef795ffa52 amd64/10.0/RPMS/mkisofs-2.01-0.a28.3.100mdk.amd64.rpm
ba546809bbddf8d3034e19a9eb7b302d amd64/10.0/SRPMS/cdrecord-2.01-0.a28.3.100mdk.src.rpm
Mandrakelinux 10.1:
794bf04c820b0260d0e694f062c905f2 10.1/RPMS/cdrecord-2.01-1.1.101mdk.i586.rpm
42ec8777385b893d8251599570c36c73 10.1/RPMS/cdrecord-cdda2wav-2.01-1.1.101mdk.i586.rpm
3d058e44f07c83879278baaa495e8450 10.1/RPMS/cdrecord-devel-2.01-1.1.101mdk.i586.rpm
e6a9c9c198b54ea22adc0bd7911cffaf 10.1/RPMS/cdrecord-isotools-2.01-1.1.101mdk.i586.rpm
c1c45207be3fd2ca3aefb58a644bc82a 10.1/RPMS/cdrecord-vanilla-2.01-1.1.101mdk.i586.rpm
37ab3e2083acb6faa1e7b36afe2165a7 10.1/RPMS/mkisofs-2.01-1.1.101mdk.i586.rpm
768f4f60b9790fac5b557746c98e3505 10.1/SRPMS/cdrecord-2.01-1.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
e8480e54f0ceb69ad4b24ef8a708a9b9 x86_64/10.1/RPMS/cdrecord-2.01-1.1.101mdk.x86_64.rpm
6599dacd7cc7f2348afc4b163f958364 x86_64/10.1/RPMS/cdrecord-cdda2wav-2.01-1.1.101mdk.x86_64.rpm
1701e03afa8804c5c98322a90af10ba5 x86_64/10.1/RPMS/cdrecord-devel-2.01-1.1.101mdk.x86_64.rpm
2cfb1b7cd36e366f9f869934a580a996 x86_64/10.1/RPMS/cdrecord-isotools-2.01-1.1.101mdk.x86_64.rpm
77cbb47faa8da69d4757043a50163c97 x86_64/10.1/RPMS/cdrecord-vanilla-2.01-1.1.101mdk.x86_64.rpm
1ecb8362b876ba63d81bafc0079db541 x86_64/10.1/RPMS/mkisofs-2.01-1.1.101mdk.x86_64.rpm
768f4f60b9790fac5b557746c98e3505 x86_64/10.1/SRPMS/cdrecord-2.01-1.1.101mdk.src.rpm
Mandrakelinux 10.2:
e88cb26c11fa7db8cc0d635dc3f09746 10.2/RPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.i586.rpm
d581a2787035515872382465d5a0b52d 10.2/RPMS/cdrecord-cdda2wav-2.01.01-0.a01.6.1.102mdk.i586.rpm
96f46be6665c42b4a24f03cdfecda60f 10.2/RPMS/cdrecord-devel-2.01.01-0.a01.6.1.102mdk.i586.rpm
a7abba59fdf0e767c2d6029ea681c457 10.2/RPMS/cdrecord-isotools-2.01.01-0.a01.6.1.102mdk.i586.rpm
51a00a1b64e8ec4ea09b399ebfce1da1 10.2/RPMS/cdrecord-vanilla-2.01.01-0.a01.6.1.102mdk.i586.rpm
33bab4de7eced57809cb3e88fd4da58c 10.2/RPMS/mkisofs-2.01.01-0.a01.6.1.102mdk.i586.rpm
f3fb0008491fe53605279f76b218cb8d 10.2/SRPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
15a112f392f250ea82a2bc54bb74f32f x86_64/10.2/RPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
7c872b9867899f5b7f4c30c37ca1c4e0 x86_64/10.2/RPMS/cdrecord-cdda2wav-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
06ebe0c9e9f8c1366d19122d77841270 x86_64/10.2/RPMS/cdrecord-devel-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
fe2c5214b8e5765326177a606afd8995 x86_64/10.2/RPMS/cdrecord-isotools-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
3f16d1f23475953132c39e73d5a5eb36 x86_64/10.2/RPMS/cdrecord-vanilla-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
d41ca3a964192961a8df1ebc51d74b14 x86_64/10.2/RPMS/mkisofs-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
f3fb0008491fe53605279f76b218cb8d x86_64/10.2/SRPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.src.rpm
Corporate Server 2.1:
41f690bdc4e9ed38a5e07b441dc68e2e corporate/2.1/RPMS/cdrecord-1.11-0.a32.1.2.C21mdk.i586.rpm
21fd0a4f61d96d8099bfc7e420078997 corporate/2.1/RPMS/cdrecord-cdda2wav-1.11-0.a32.1.2.C21mdk.i586.rpm
a88c902c395ab6922bd187bdb89f9f37 corporate/2.1/RPMS/cdrecord-devel-1.11-0.a32.1.2.C21mdk.i586.rpm
a256764d4fa4206aa252b6abb9826a07 corporate/2.1/RPMS/cdrecord-dvdhack-1.11-0.a32.1.2.C21mdk.i586.rpm
3afc5d3ae2642fc622ba33a70982f22b corporate/2.1/RPMS/mkisofs-1.15-0.a32.1.2.C21mdk.i586.rpm
9d0ad887fde0366818d4efd867a024c3 corporate/2.1/SRPMS/cdrecord-1.11-0.a32.1.2.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
3a2e0f073569f2b3cfebc2048894515a x86_64/corporate/2.1/RPMS/cdrecord-1.11-0.a32.1.2.C21mdk.x86_64.rpm
71680076240e7ec0166416eb73e7af7a x86_64/corporate/2.1/RPMS/cdrecord-cdda2wav-1.11-0.a32.1.2.C21mdk.x86_64.rpm
7395c0654192b3bc1cf2ba298c82df46 x86_64/corporate/2.1/RPMS/cdrecord-devel-1.11-0.a32.1.2.C21mdk.x86_64.rpm
9f2de918b15db99cf89e1e6d3c86c24f x86_64/corporate/2.1/RPMS/cdrecord-dvdhack-1.11-0.a32.1.2.C21mdk.x86_64.rpm
2644ac211232f9a10aa1519b00f5e364 x86_64/corporate/2.1/RPMS/mkisofs-1.15-0.a32.1.2.C21mdk.x86_64.rpm
9d0ad887fde0366818d4efd867a024c3 x86_64/corporate/2.1/SRPMS/cdrecord-1.11-0.a32.1.2.C21mdk.src.rpm
Corporate 3.0:
3352fc19b054b565996b0322db3ced25 corporate/3.0/RPMS/cdrecord-2.01-0.a28.3.C30mdk.i586.rpm
46df5e69acd47306efcb732942a0365b corporate/3.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.C30mdk.i586.rpm
8addf58eff5059b2f10daab5766db805 corporate/3.0/RPMS/cdrecord-devel-2.01-0.a28.3.C30mdk.i586.rpm
70c2e71dfaa1f44962a123becf6ec988 corporate/3.0/RPMS/mkisofs-2.01-0.a28.3.C30mdk.i586.rpm
5f772fbe88aab2ae890b71e46c83976f corporate/3.0/SRPMS/cdrecord-2.01-0.a28.3.C30mdk.src.rpm
Corporate 3.0/X86_64:
11a0aaf96ba4ea707fdbe421ad0dd9ad x86_64/corporate/3.0/RPMS/cdrecord-2.01-0.a28.3.C30mdk.x86_64.rpm
a8ea5673da05ec4bdbbd95e4c85b91e1 x86_64/corporate/3.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.C30mdk.x86_64.rpm
384896d7b6ad11ad8eafac6db166ef8e x86_64/corporate/3.0/RPMS/cdrecord-devel-2.01-0.a28.3.C30mdk.x86_64.rpm
07615c675d0a11b2f4b78db6d2ba2736 x86_64/corporate/3.0/RPMS/mkisofs-2.01-0.a28.3.C30mdk.x86_64.rpm
5f772fbe88aab2ae890b71e46c83976f x86_64/corporate/3.0/SRPMS/cdrecord-2.01-0.a28.3.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCZ1OAmqjQ0CJFipgRAideAJ9YPKcVLcK7lfsggj8X28ELtETxtQCffkye
K2ljRmUOow003gkCohr01X8=
=hGQi
-----END PGP SIGNATURE-----