From: TurboLinux Security Team <security@www1.turbolinux.com> To: tl-security-announce@www1.turbolinux.com Subject: [TL-Security-Announce] TLSA2001029 esound-0.2.22-1 Date: Thu, 21 Jun 2001 11:13:41 -0700 (PDT) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ___________________________________________________________________________ Turbolinux Security Announcement Package: esound Vulnerable Packages: All Turbolinux versions previous to 0.2.22-1 Date: 06/21/2001 5:00 PDT Affected Turbolinux platforms: TL 6.1 Workstation, All Turbolinux versions 6.0.5 and earlier Turbolinux Advisory ID#: TLSA2001029 Reference: http://www.securityfocus.com/bid/1659 ___________________________________________________________________________ A security hole has been discovered in the package esound. Please update this package in your installation as soon as possible. ___________________________________________________________________________ 1. Problem Summary Esound creates a world-writable directory called /tmp/.esd, which is owned by the user running esound. It stores a socket which is shared by the programs using esound. When esound is started, the socket becomes world-writable. During this time, it is possible for an attacker to cre- ate a symbolic link in /tmp/.esd to a file owned by the esound user and make that file world-writable. 2. Impact Any file owned by the esound user can be overwritten. 3. Solution Update the package from our ftp server by running the following command: rpm -Uvh ftp_path_to_filename Where ftp_path_to_filename is the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/esound-0.2.22-1.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/security/esound-devel-0.2.22-1.i386.rpm The source RPM can be downloaded here: ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/esound-0.2.22-1.src.rpm **Note: You must rebuild and install the RPM if you choose to download and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE THE SECURITY HOLE. In order to properly rebuild the esound binaries, make sure you have the package "audiofile-devel" installed on your system. Please verify the MD5 checksums of the updates before you install: MD5 sum Package Name ___________________________________________________________________________ 08543da5d8212492755a9913a650b26e esound-0.2.22-1.i386.rpm e3ae1c4b06ed465d30ff960d30146e51 esound-devel-0.2.22-1.i386.rpm 1756ffc8c1cc4a8d9bb0abae187fc14f esound-0.2.22-1.src.rpm ___________________________________________________________________________ These packages are GPG signed by Turbolinux for security. Our key is available here: http://www.turbolinux.com/security/tlgpgkey.asc To verify a package, use the following command: rpm --checksig name_of_rpm To examine only the md5sum, use the following command: md5sum name_of_rpm **Note: Checking GPG keys requires RPM 3.0 or higher. ___________________________________________________________________________ You can find more updates on our ftp server: ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.x Workstation and Server security updates Our webpage for security announcements: http://www.turbolinux.com/security If you want to report vulnerabilities, please contact: security@turbolinux.com ___________________________________________________________________________ Subscribe to the Turbolinux Security Mailing lists: TL-security - A moderated list for discussing security issues Turbolinux products. Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security TL-security-announce - An announce-only mailing list for security updates and alerts. Subscribe at: http://www.turbolinux.com/mailman/listinfo/tl-security-announce -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: pgpenvelope 2.10.0 - http://pgpenvelope.sourceforge.net/ iD8DBQE7MkAncpw52/ZatwoRAk7zAKCJWSl8JwF4kSq/puxGybfNiZTSdgCePj5B 2vkaIGPS6yFmdY/qHMk53BM= =lfBs -----END PGP SIGNATURE----- _______________________________________________ TL-Security-Announce mailing list TL-Security-Announce@www.turbolinux.com http://www.turbolinux.com/mailman/listinfo/tl-security-announce