Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

tcsh -- local exploit

Date Reported:

11 Nov 2000

Affected Packages:

tcsh
tcsh-i18n
tcsh-kanji

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2000-1134.

More information:

Proton reported on bugtraq that tcsh did not handle in-here documents correctly. The version of tcsh that is distributed with Debian GNU/Linux 2.2r0 also suffered from this problem. When using in-here documents using the << syntax tcsh uses a temporary file to store the data. Unfortunately the temporary file is not created securely and standard symlink attacks can be used to make tcsh overwrite arbitrary files. This has been fixed in version 6.09.00-10 and we recommend that you upgrade your tcsh package immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/dists/potato/updates/main/source/tcsh_6.09.00-10.diff.gz

http://security.debian.org/dists/potato/updates/main/source/tcsh_6.09.00-10.dsc

http://security.debian.org/dists/potato/updates/main/source/tcsh_6.09.00.orig.tar.gz

Architecture-independent component:

http://security.debian.org/dists/potato/updates/main/binary-all/tcsh-i18n_6.09.00-10_all.deb

Alpha:

http://security.debian.org/dists/potato/updates/main/binary-alpha/tcsh_6.09.00-10_alpha.deb

http://security.debian.org/dists/potato/updates/main/binary-alpha/tcsh-kanji_6.09.00-10_alpha.deb

ARM:

http://security.debian.org/dists/potato/updates/main/binary-arm/tcsh_6.09.00-10_arm.deb

http://security.debian.org/dists/potato/updates/main/binary-arm/tcsh-kanji_6.09.00-10_arm.deb

Intel IA-32:

http://security.debian.org/dists/potato/updates/main/binary-i386/tcsh_6.09.00-10_i386.deb

http://security.debian.org/dists/potato/updates/main/binary-i386/tcsh-kanji_6.09.00-10_i386.deb

Motorola 680x0:

http://security.debian.org/dists/potato/updates/main/binary-m68k/tcsh_6.09.00-10_m68k.deb

http://security.debian.org/dists/potato/updates/main/binary-m68k/tcsh-kanji_6.09.00-10_m68k.deb

PowerPC:

http://security.debian.org/dists/potato/updates/main/binary-powerpc/tcsh_6.09.00-10_powerpc.deb

http://security.debian.org/dists/potato/updates/main/binary-powerpc/tcsh-kanji_6.09.00-10_powerpc.deb

Sun SPARC:

http://security.debian.org/dists/potato/updates/main/binary-sparc/tcsh_6.09.00-10_sparc.deb

http://security.debian.org/dists/potato/updates/main/binary-sparc/tcsh-kanji_6.09.00-10_sparc.deb

This page is also available in the following languages:

Deutsch español français 日本語 (Nihongo) svenska

How to set the default document language