![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: TurboLinux Security Team <security@www1.turbolinux.com>
To: tl-security-announce@www1.turbolinux.com
Subject: [TL-Security-Announce] TLSA2001005 glibc-2.1.3-33
Date: Thu, 3 May 2001 18:36:55 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------------
Turbolinux Security Announcement
Vulnerable Packages: All versions prior to glibc-2.1.3-33
Date: 05/01/2001 5:00 PDT
Affected Turbolinux versions:TL WorkStation Server 6.5,
TL 6.1 WorkStation,
All Turbolinux versions
6.0.5 and earlier
Turbolinux Advisory ID#: TLSA2001009
Credits: Fixes made by Ulrich Drepper of Red Hat
___________________________________________________________________________
A security hole was discovered in the package mentioned above.
Please update the packages in your installation as soon as possible.
___________________________________________________________________________
1. Problem Summary(From the BugTraq advisory at securityfocus.com,id#1634)
A format string vulnerability exists in the locale subsystem. The
locale subsystem consists of databases that contain language and
country specific information. Whenever a program needs to display a
message to a user, it accesses a database within the subsystem and
retrieves the proper language-specific string using the original
message as the search key. The string(s) retrieved by the program are
displayed using printf(). It is possible for an attacker to control
the output by building and installing a custom database.
2. Impact(Also from the BugTraq advisory on securityfocus.com)
An attacker can execute arbitrary code as a user with elevated
privileges(root) using almost any setuid program on the
vulnerable system.
In some operating systems, it is also possible to exploit the problem
remotely using the environment variable passing off options to telnetd,
but the attacker must first install his customized database onto
the target host.
3. Solution
************** If you are using Turbolinux Server 6.5: *********************
Update the packages from our ftp server by running the following
command for each package:
rpm -Uvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-2.1.3-33.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-devel-2.1.3-33.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-profile-2.1.3-33.i386.rpm
************** If you are using Turbolinux Workstation 6.1: ***************
First, uninstall the package glibc-2.1.3-2jaJP using the command:
rpm -e glibc-2.1.3-2jaJP
Next, install the following packages by running the following command:
rpm -Uvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-2.1.3-33.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-locale-2.1.3-10.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-profile-2.1.3-33.i386.rpm
Finally, upgrade the package glibc-devel with the following command:
rpm -Uvh --force ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-devel-2.1.3-33.i386.rpm
************** If you are using Turbolinux Server6.0.5: ******************
Update the package glibc from our ftp server by running the following
command:
rpm -Uvh --force ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-2.1.3-33.i386.rpm
Next, update the packages glibc-devel and glibc-profile from our ftp
server by running the following command:
rpm -Uvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-devel-2.1.3-33.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/glibc-profile-2.1.3-33.i386.rpm
*******************************************************************************
The source RPM can be downloaded here:
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/glibc-2.1.3-33.src.rpm
**Note: You must rebuild and install the RPM if you choose to download
and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE
THE SECURITY HOLE.
Please verify the MD5 checksums of the updates before you install:
MD5 sum Package Name
- ---------------------------------------------------------------------------
985c3946d8b659ddc36c15428056be51 glibc-2.1.3-33.i386.rpm
115c757d2fd29d8ad6281e5bb96a08df glibc-locale-2.1.3-10.noarch.rpm
955fc79bddbf80918fe51810b2fd2045 glibc-devel-2.1.3-33.i386.rpm
61c21f8ce865de4ff319e162474bd4d5 glibc-profile-2.1.3-33.i386.rpm
ada28c27fca1f259e1a4fee6686a5862 glibc-2.1.3-33.src.rpm
___________________________________________________________________________
These packages are GPG signed by Turbolinux for security. Our key
is available here:
http://www.turbolinux.com/security/tlgpgkey.asc
To verify a package, use the following command:
rpm --checksig name_of_rpm
To examine only the md5sum, use the following command:
rpm --checksig --nogpg name_of_rpm
**Note: Checking GPG keys requires RPM 3.0 or higher.
___________________________________________________________________________
You can find more updates on our ftp server:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/
for TL6.0 Workstation and Server security updates
Our webpage for security announcements:
http://www.turbolinux.com/security
If you want to report vulnerabilities, please contact:
security@turbolinux.com
___________________________________________________________________________
Subscribe to the Turbolinux Security Mailing lists:
TL-security - A moderated list for discussing security issues
Turbolinux products.
Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security
TL-security-announce - An announce-only mailing list for security
updates and alerts. Subscribe at:
http://www.turbolinux.com/mailman/listinfo/tl-security-announce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: pgpenvelope 2.10.0 - http://pgpenvelope.sourceforge.net/
iD8DBQE68gfMcpw52/ZatwoRApDbAJ4hUat6yQekSRLW1CSxY3UKZAkNJwCdFmjR
DC6Zs0vlRLHuiQiP/nU+gpw=
=H78/
-----END PGP SIGNATURE-----
_______________________________________________
TL-Security-Announce mailing list
TL-Security-Announce@www.turbolinux.com
http://www.turbolinux.com/mailman/listinfo/tl-security-announce