-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.29: RedHat rpm vunerability Topic: RedHat rpm vunerability Advisory issue date: August 7 1998 I. Problem Description RPM (Redhat Package Manager) has many useful features. One of these features is to retrieve a file off of the net and install it all in one step. When RPM is used this way, the file RPM is retrieving is temporarily stored in /var/tmp. The file mask RPM uses is rpm-ftp-$no-$pid.tmp whereas $no is the number of the package in the queue (0,1,2,...). Unfortunatly, rpm does not properly check if the temporary file already exists, and will follow symlinks. As rpm is often ran by root, it is then possible to overwrite any file on the system, regardless of access permissions. II. Impact Description: Vulnerable Systems: OpenLinux 1.0, 1.1, & 1.2 systems using the rpm (RedHat Package Manager) package prior to rpm-2.5.2-2. III. Solution Correction: The proper solution is to upgrade to the xxx packages. They can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011/RPMS The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011/SRPMS The MD5 checksums (from the "md5sum" command) for these packages are: a731190ae1ed6a5d5ba2c9c0b56afa20 RPMS/rpm-2.5.2-2.i386.rpm 9bb703007506890bb2b7534d77a6ba42 SRPMS/rpm-2.5.2-2.src.rpm Upgrade with the following commands: rpm -q rpm && rpm -U RPMS/rpm-2.5.2-2.i386.rpm rpm -q rpm-devel && rpm -U RPMS/rpm-devel-2.5.2-2.i386.rpm Note that the rpm program used in Caldera OpenLinux systems is not identical to the rpm program used in other Linux distributions based on the RedHat Package Manager system. IV. References This and other Caldera security resources are located at: http://www.caldera.com/news/security/index.html Additional documentation on this problem can be found in the BUGTRAQ archive at http://www.netspace.org/lsv-archive/bugtraq.html. --- Message-ID: <199708022253.AAA01517@plaguez.insomnia.org> Date: Sun, 3 Aug 1997 00:53:54 +0200 Reply-To: dube0866@EUROBRETAGNE.FR Sender: Bugtraq List From: Nicolas Dubee To: BUGTRAQ@NETSPACE.ORG --- This security fix closes Caldera's internal Problem Report 875. V. PGP Signature This message was signed with the PGP key for security@caldera.com. This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1998.29.txt,v 1.3 1998/08/07 14:12:40 rf Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNcsLV+n+9R4958LpAQF4hgP+IlixVpZmTcSvWPHiwX2K5vT+PQlbzULt JE0YnRrnglGr83X/pjed4pg9ch2uPnsj0IfWGsRtXPLlPyQZxYBhCVwgirS9NKb3 YRfpIwgQftPcNNEJWPwuIOBcD0/uNpkB+KU1CW3umqZr0PG/1/uuqJ1DnlH3PEsR wccRhRqdC/Y= =jd4q -----END PGP SIGNATURE-----