![[LWN Logo]](/images/lwn.banner.gif)
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: several problems in xemacs
Advisory number: CSSA-2000-011.0
Issue date: 2000 May, 18
Cross reference:
______________________________________________________________________________
1. Problem Description
Under some circumstances, users are able to snoop on
other users' keystrokes. This is a serious problems if
you use modules that require e.g. input of passwords,
such as MailCrypt.
Temporary files are created insecurely.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 All packages previous to
xemacs-21.1.10-4
OpenLinux eServer 2.3 All packages previous to
and OpenLinux eBuilder xemacs-21.1.10-4
OpenLinux eDesktop 2.4 All packages previous to
xemacs-21.1.10-4
3. Solution
Workaround:
None.
The proper solution is to upgrade to the fixed packages.
4. OpenLinux Desktop 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderaystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
2d2ae22fe27647ed7745f02a53cf0f72 RPMS/xemacs-base-21.1.10-4.i386.rpm
41a2decd82536379e9402469d65a3f4e RPMS/xemacs-emacs-link-21.1.10-4.i386.rpm
54c0058ad71e61a3bd1c484af262366e RPMS/xemacs-icons-21.1.10-4.i386.rpm
ec19e0280324b8fe5defcdc3d33ef081 RPMS/xemacs-lispsource-21.1.10-4.i386.rpm
9f86fb8bcb88d8c74049a56390a22b33 RPMS/xemacs-mule-21.1.10-4.i386.rpm
13e350cf1c5153c7184d8913a1d85230 RPMS/xemacs-packages-21.1.10-4.i386.rpm
b14202812d6b7fc64d036d0ad0047be7 SRPMS/xemacs-21.1.10-4.src.rpm
4.3 Installing Fixed Packages
First delete parts of the old xemacs packages:
rpm -e xemacs-auctex
rpm -e xemacs-calc
rpm -e xemacs-emul
rpm -e xemacs-mailnews
rpm -e xemacs-modes
rpm -e xemacs-sgmldocs
rpm -e xemacs-www
Upgrade the affected packages with the following commands:
rpm -F --force --nodeps xemacs-*.i386.rpm
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderaystems.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
aa00dacc5c309da3535a0288f1f114e8 RPMS/xemacs-base-21.1.10-4.i386.rpm
ff552f8c3610d243d78c2d8608739d02 RPMS/xemacs-emacs-link-21.1.10-4.i386.rpm
2fa3499e4b51f6305a0fae18f0124ca1 RPMS/xemacs-icons-21.1.10-4.i386.rpm
aa4b05a5be8e429feeb69685964bd417 RPMS/xemacs-lispsource-21.1.10-4.i386.rpm
ba9adfb1e749425b1a17566bd09816cb RPMS/xemacs-mule-21.1.10-4.i386.rpm
5786ba6bfed07f06164d4cb30089892c RPMS/xemacs-packages-21.1.10-4.i386.rpm
ee02cf1a63d9f754bfe219206725fe20 SRPMS/xemacs-21.1.10-4.src.rpm
5.3 Installing Fixed Packages
First delete parts of the old xemacs packages:
rpm -e xemacs-auctex
rpm -e xemacs-calc
rpm -e xemacs-emul
rpm -e xemacs-mailnews
rpm -e xemacs-modes
rpm -e xemacs-sgmldocs
rpm -e xemacs-www
Upgrade the affected packages with the following commands:
rpm -F --force --nodeps xemacs-*.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderaystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
0597c7843fce75a95b6fe5362418bec4 RPMS/xemacs-base-21.1.10-4.i386.rpm
1075f3f257212c2180c8aeee2e330339 RPMS/xemacs-emacs-link-21.1.10-4.i386.rpm
cca7c5bbff10c8fd66a7b9524a8b4646 RPMS/xemacs-icons-21.1.10-4.i386.rpm
9cf1566c157f0acfe243f99131c660a8 RPMS/xemacs-lispsource-21.1.10-4.i386.rpm
253fb7d5aee0b25dad2d0cb2eef122be RPMS/xemacs-mule-21.1.10-4.i386.rpm
adb96e41b347b0e2998a9318884f85ad RPMS/xemacs-packages-21.1.10-4.i386.rpm
b2d86fa715c832b63604107ab1b5abbb SRPMS/xemacs-21.1.10-4.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -F xemacs-*.i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 6061
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of the
information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjklCkcACgkQ18sy83A/qfy58QCfZE91+owOyoCg1C2glqA2ypS5
o5UAnRy88LUk7RoSrFVbd2q54wXWy72+
=zP+x
-----END PGP SIGNATURE-----