Bacheca Debian sulla sicurezza

DSA-160-1 scrollkeeper -- creazione di file temporaneo insicuro

Data della segnalazione:
03 set 2002
Pacchetti coinvolti:
scrollkeeper
Vulnerabile:
Referenze all'interno del database della sicurezza:
Nel database Bugtraq (presso SecurityFocus): Numero del bug 5602.
Nel dizionario CVE di Mitre: CVE-2002-0662.
Maggiori informazioni:

Spybreak ha scoperto un problema in scrollkeeper, un sistema elettronico e libero di catalogazione per la documentazione. Il programma scrollkeeper-get-cl crea i file temporanei in maniera insicura nella directory /tmp utilizzando dei nomi facilmente prevedibili. Poiché scrollkeeper è chiamato automaticamente quando un utente apre una sessione Gnome, un eventuale attaccante con accesso locale potrebbe facilmente creare e sovrascrivere file come se fosse un altro utente.

Questo problema è stato risolto nella versione 0.3.6-3.1 per la attuale distribuzione stable (woody) e nella versione 0.3.11-2 per la distribuzione unstable (sid). La vecchia distribuzione stable (potato) non è affetta poiché non contiene il pacchetto scrollkeeper.

Raccomandiamo di aggiornare immediatamente i pacchetti scrollkeeper.

Risolto in:

Debian GNU/Linux 3.0 (woody)

Sorgente:
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1.dsc
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1.diff.gz
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_alpha.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_alpha.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_arm.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_arm.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_i386.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_i386.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_ia64.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_ia64.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_ia64.deb
HP Precision:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_hppa.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_hppa.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_m68k.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_m68k.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_mips.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_mips.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_mipsel.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_mipsel.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_powerpc.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_powerpc.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_s390.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_s390.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper-dev_0.3.6-3.1_sparc.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/libscrollkeeper0_0.3.6-3.1_sparc.deb
http://security.debian.org/pool/updates/main/s/scrollkeeper/scrollkeeper_0.3.6-3.1_sparc.deb

Somma di controllo MD5 per i file in elenco disponibile nella notizia originale.