[LWN Logo]
[Timeline]
Date:         Wed, 10 Jan 2001 12:11:17 -0800
From: Greg KH <greg@WIREX.COM>
Subject:      Immunix OS Security update for lots of temp file problems
To: BUGTRAQ@SECURITYFOCUS.COM

--17pEHd4RhPHOinZp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


-----------------------------------------------------------------------
	Immunix OS Security Advisory Summary

Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-028-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a loads of potential temp file race problems in lots of
  different programs.  This came to light due to the "new" linker
  warning message in glibc whenever mktemp(), tempname() or other
  insecure temp file generation functions are used.
  
  This summary message encompasses 12 different packages that we have
  released updates for in order to try to cut down on the amount of
  different email messages that people get.
  
  The packages and versions effected are:
        apache       1.3.14 and also 2.0a9, the htpasswd and htdigest helper programs
        tcpdump      arpwatch version 2.1a4
        squid        2.3 STABLE and 2.4
        linuxconf    1.19r through 1.23r, the vpop3d program
        mgetty       1.1.22 and 1.1.23
        gpm          1.19.3
        wu-ftpd      2.6.1, the privatepw program
        inn          2.2.3
        diffutils    2.7, the sdiff program
        getty_ps     2.0.7j
        rdist        6.1.5
        shadow-utils 19990827 and 20000902, the useradd program

  Note that Immunix Linux 7.0 is based off of RedHat 7.0, so it is also
  effected by all of these same problems.  Other Linux distros are also
  probably effected by some of these problems.
  
  If anyone wants the specific patch used to fix these problems, or
  wants a more detailed explanation of any of the problems, please feel
  free to ask me.  
  
  Thanks go out to Steve Beattie, Chris Wright and Matt Barringer all
  did audits and helped with the patches.  And to our boss, Crispin
  Cowan for working to convince WireX management that it was worth our
  time to help fix these problems.  Also to all of the maintainers who
  responded so quickly with patches and were willing to listen to
  potential problems, a big thanks (the mgetty author, Gert Doering,
  deserves a special thanks, for being so helpful in fixing stuff.)
  
  And I don't think this is the last of the temp file creation problem
  by any means :)

  Online versions of all Immunix 7.0-beta updates and advisories can be
  found at http://www.immunix.org/ImmunixOS/7.0-beta/updates/ 

More details:

-----------------------------------------------------------------------
Packages updated:	apache
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1308
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-016-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the apache helper
  programs, htdigest and htpasswd.  We notified the apache development
  team but never received a response.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  these problems.

Package names and locations:
  Precompiled binary packages for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/apache-1.3.14-3_StackGuard_5.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/apache-devel-1.3.14-3_StackGuard_5.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/apache-manual-1.3.14-3_StackGuard_5.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/mod_ssl-2.7.1-3_StackGuard_5.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/apache-1.3.14-3_StackGuard_5.src.rpm

md5sums of the packages:
  f7cf8f975ae0d9700ab275040b59168a  apache-1.3.14-3_StackGuard_5.i386.rpm
  52d8c4b1e793aad728d4ef89223cf2b2  apache-devel-1.3.14-3_StackGuard_5.i386.rpm
  55b4d805b6004795143d40ba3dad85b8  apache-manual-1.3.14-3_StackGuard_5.i386.rpm
  7b760f570e40ca35ad46d9c4171e64b9  mod_ssl-2.7.1-3_StackGuard_5.i386.rpm
  00dfbcd0d515a70c761ac2e362aae56a  apache-1.3.14-3_StackGuard_5.src.rpm


-----------------------------------------------------------------------
Packages updated:	arpwatch
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1309
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-017-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the arpwatch program
  which is a part of the tcpdump package.  This problem had been fixed
  in a more recent version of the arpwatch program.

  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary packages for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/arpwatch-2.1a10-29_StackGuard_2.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/libpcap-0.4-29_StackGuard_2.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/tcpdump-3.4-29_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/tcpdump-3.4-29_StackGuard_2.src.rpm

md5sums of the packages:
  0dbf7ba916618809d9e6cecd48a74e42  arpwatch-2.1a10-29_StackGuard_2.i386.rpm
  16554cd2e79f2adc5221cd2edaeacfdc  libpcap-0.4-29_StackGuard_2.i386.rpm
  2a8f01d35f934ad2d0a32bb7cfa4862e  tcpdump-3.4-29_StackGuard_2.i386.rpm
  ac2c2043e98c42a14f0dc057cb65db49  tcpdump-3.4-29_StackGuard_2.src.rpm


-----------------------------------------------------------------------
Packages updated:	squid
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1310
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-018-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the way that the squid
  package sends out email notifying the admin about updating the
  program.  This usually only happens if you are running a development
  version of squid, or if the clock on your system is incorrect.
  
  The squid maintainers have applied a patch to fix this, and can be
  found in latest version of both the development and stable releases of
  squid.  Thanks go out to them for responding so quickly.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/squid-2.3.STABLE4-1_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/squid-2.3.STABLE4-1_StackGuard_2.src.rpm

md5sums of the packages:
  93582c5f73e270f9a83782e9baad3391  squid-2.3.STABLE4-1_StackGuard_2.i386.rpm
  8f8edf4295f4edce2af8a32df6a3348f  squid-2.3.STABLE4-1_StackGuard_2.src.rpm


-----------------------------------------------------------------------
Packages updated:	linuxconf
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1311
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-019-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the vpop3d program in
  the linuxconf package
  
  The linuxconf maintainers have applied a patch to fix this, and have
  made a new release with this fix in it. Thanks go out to them for
  responding so quickly.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary packages for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/linuxconf-1.19r2-4_StackGuard_2.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/linuxconf-devel-1.19r2-4_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/linuxconf-1.19r2-4_StackGuard_2.src.rpm

md5sums of the packages:
  89ca758bceb7e2b97c0da2997c63a8f6  linuxconf-1.19r2-4_StackGuard_2.i386.rpm
  4db4d6d89a438dbf421b6e5030f234cd  linuxconf-devel-1.19r2-4_StackGuard_2.i386.rpm
  3422438e1fec2e8ef880696e616cd833  linuxconf-1.19r2-4_StackGuard_2.src.rpm


-----------------------------------------------------------------------
Packages updated:	mgetty
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1312
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-020-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the mgetty program.
  
  The mgetty maintainer has applied a patch to fix this, and have made a
  new release with this fix in it. Thanks go out to them for responding
  so quickly.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary packages for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/mgetty-1.1.24-1_StackGuard_2.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/mgetty-sendfax-1.1.24-1_StackGuard_2.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/mgetty-viewfax-1.1.24-1_StackGuard_2.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/mgetty-voice-1.1.24-1_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/mgetty-1.1.24-1_StackGuard_2.src.rpm

md5sums of the packages:
  ddf613be0fed657c4a4dc0f1b9376486  mgetty-1.1.24-1_StackGuard_2.i386.rpm
  700b540da49532efea426ee84af6bcff  mgetty-sendfax-1.1.24-1_StackGuard_2.i386.rpm
  ed1f381a8ce63c20dcdc23b2373ed4aa  mgetty-viewfax-1.1.24-1_StackGuard_2.i386.rpm
  402e3d274f41e9405c5dac854a890884  mgetty-voice-1.1.24-1_StackGuard_2.i386.rpm
  7e60d99ce1cf12da1b1671b72dc893bc  mgetty-1.1.24-1_StackGuard_2.src.rpm


-----------------------------------------------------------------------
Packages updated:	gpm
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1313
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-021-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the gpm program.
  
  The gpm package is currently unmaintained, but the author has placed a
  patch to fix this in the updates directory for the gpm program.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary packages for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/gpm-1.19.3-4_StackGuard_2.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/gpm-devel-1.19.3-4_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/gpm-1.19.3-4_StackGuard_2.src.rpm

md5sums of the packages:
  657dfa541b202e011b823e68944e4e28  gpm-1.19.3-4_StackGuard_2.i386.rpm
  b8a37d6220b262636e9df9e24f81f36b  gpm-devel-1.19.3-4_StackGuard_2.i386.rpm
  52a25925229d052ffe68c109d42350fb  gpm-1.19.3-4_StackGuard_2.src.rpm


-----------------------------------------------------------------------
Packages updated:	wu-ftpd
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1314
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-022-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the privatepw helper
  program in the wu-ftpd package.
  
  The maintainers of the wu-ftpd package have placed a patch to fix this
  on their ftp site.  Thanks go out to them for responding so quickly
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/wu-ftpd-2.6.1-6_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/wu-ftpd-2.6.1-6_StackGuard_2.src.rpm

md5sums of the packages:
  0259bb98f5f81b87f39504f748818a3f  wu-ftpd-2.6.1-6_StackGuard_2.i386.rpm
  b941f7411d925af70405ba10fd1c3db3  wu-ftpd-2.6.1-6_StackGuard_2.src.rpm


-----------------------------------------------------------------------
Packages updated:	inn
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1315
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-023-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the inn program.  This
  is partly due to the way that the inn program is compiled and set up
  on Immunix Linux, and partly due to the lack of information in the inn
  program detailing potential security problems if you do not tell inn
  to use a private temporary directory.  We have applied a patch that
  creates temporary files safely for inn, AND moved all temp file
  creation by inn into it's own private directory which should solve
  this problem.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary packages for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/inews-2.2.3-3_StackGuard_3.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/inn-2.2.3-3_StackGuard_3.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/inn-devel-2.2.3-3_StackGuard_3.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/inn-2.2.3-3_StackGuard_3.src.rpm

md5sums of the packages:
  ead2af814ce19919c1b9f3a5cb6db853  inews-2.2.3-3_StackGuard_3.i386.rpm
  feea622aca6a5b217e42f11df025fa90  inn-2.2.3-3_StackGuard_3.i386.rpm
  0fe0bad19dcde112b83e803023b85c9f  inn-devel-2.2.3-3_StackGuard_3.i386.rpm
  25676fde907a0b71f665512bdf1b2aa8  inn-2.2.3-3_StackGuard_3.src.rpm


-----------------------------------------------------------------------
Packages updated:	diffutils
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1316
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-024-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the sdiff program within
  the diffutils package.
  
  A patch has been applied that fixes this problem, and the maintainers
  assure us that an updated release of the diffutils package will occur
  in the future with this problem solved.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/diffutils-2.7-21_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/diffutils-2.7-21_StackGuard_2.src.rpm

md5sums of the packages:
  af961df849ad223552a8dbc59f768cc9  diffutils-2.7-21_StackGuard_2.i386.rpm
  c1e02bb7f3bd0519844edd8cbd8e34ea  diffutils-2.7-21_StackGuard_2.src.rpm


-----------------------------------------------------------------------
Packages updated:	getty_ps
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1317
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-025-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the getty_ps program.
  
  A patch has been applied that fixes this problem, however the
  maintainer of the program never responded to our email message about
  this problem.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/getty_ps-2.0.7j-12_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/getty_ps-2.0.7j-12_StackGuard_2.src.rpm

md5sums of the packages:
  ebe7518773d6598ef520233236488b7a  getty_ps-2.0.7j-12_StackGuard_2.i386.rpm
  22576dbf9d22ee4bb16811bddc9abd00  getty_ps-2.0.7j-12_StackGuard_2.src.rpm


-----------------------------------------------------------------------
Packages updated:	rdist
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1318
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-026-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the rdist program.
  
  The maintainer has been notified of this problem, and will release an
  update sometime in the future fixing this.  A patch has been applied
  to our package that fixes the problem now.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/rdist-6.1.5-14_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/rdist-6.1.5-14_StackGuard_2.src.rpm

md5sums of the packages:
  b4bb7dfa02cd2d5e3607295a030e3c48  rdist-6.1.5-14_StackGuard_2.i386.rpm
  1a4209df60484be6792b8938b9649a5d  rdist-6.1.5-14_StackGuard_2.src.rpm


-----------------------------------------------------------------------
Packages updated:	shadow-utils
Effected products:	Immunix OS 7.0-beta
Bugs Fixed:		immunix/1319
Date:			January 10, 2000
Advisory ID:		IMNX-2000-70-027-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  In an internal audit conducted while preparing Immunix Linux 7.0 we
  noticed a potential temp file race problem in the useradd program
  within the shadowutils package.  The useradd program creates its temp
  files in the protected directory /etc/default, but if this directory
  is changed to world writable, a problem could occur.
  
  The maintainer has been notified of this problem, and will release an
  update sometime in the future fixing this.  A patch has been applied
  to our package that fixes this very minor problem now.
  
  Packages have been created and released for Immunix 7.0 beta to fix
  this problem.

Package names and locations:
  Precompiled binary package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/shadow-utils-19990827-18_StackGuard_2.i386.rpm

  Source package for Immunix 7.0 beta is available at:
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/shadow-utils-19990827-18_StackGuard_2.src.rpm 

md5sums of the packages:
  e72dbcf083d4de74ca37411e3e0901bc  shadow-utils-19990827-18_StackGuard_2.i386.rpm
  39524e6160e402d4d1997f408c0846a0  shadow-utils-19990827-18_StackGuard_2.src.rpm 



--17pEHd4RhPHOinZp
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6XMHkAl5ylTeuKpURArwgAKDkGZmsymicg3vPRSmSgTP8xbofWgCgi45H
IaOZSHFpWMMHlJU5RyyVlck«V0
-----END PGP SIGNATURE-----

--17pEHd4RhPHOinZp--