[LWN Logo]
[LWN.net]
From:	 TurboLinux Security Team <security@www1.turbolinux.com>
To:	 tl-security-announce@www1.turbolinux.com
Subject: [TL-Security-Announce] TLSA2001024 pmake-2.1.35beta-2
Date:	 Fri, 25 May 2001 14:07:02 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



_____________________________________________________________________________________________

                     Turbolinux Security Announcement

        Package:  pmake
        Vulnerable Packages: All Turbolinux versions previous to 2.1.35beta-2
        Date: 05/24/2001 5:00 PDT


        Affected Turbolinux platforms: TL 6.1 Workstation,
                                       All Turbolinux versions
                                       6.0.5 and earlier

        Turbolinux Advisory ID#:  TLSA2001024

       
_____________________________________________________________________________________________

A security hole has been discovered in the package pmake.  Please update
the packages in your installation as soon as possible.
_____________________________________________________________________________________________

1. Problem Summary
   
   In the Turbolinux platforms referenced above, the pmake binary is installed
   setuid root.

2. Impact

   A local user could run pmake with root privileges.  This could lead to a possibility
   of an attacker exploiting vulnerabilities in other programs that pmake uses.

3. Solution
     
   Update the packages from our ftp server by running the following
   command:

   rpm -Uvh ftp_path_to_filename

   Where ftp_path_to_filename is the following:

ftp://ftp.turbolinux.com/pub/updates/6.0/security/pmake-2.1.35beta-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/pmake-customs-2.1.35beta-2.i386.rpm 

   The source RPM can be downloaded here:

ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/pmake-2.1.35beta-2.src.rpm

   **Note: You must rebuild and install the RPM if you choose to download
   and install the SRPM.  Simply installing the SRPM alone WILL NOT CLOSE
   THE SECURITY HOLE.


*************************************IMPORTANT*******************************************

    In order for pmake to run properly, be sure to do the following:

      -Open up a terminal prompt and login as "root".
      -Go to /usr/lib/rpm and open the file called "macros".
      -Look for the directive called "%_mandir".  Its current setting is:

                        %{_prefix}/man

       Change it so that it reads:
           
                        %{_prefix}/share/man


*****************************************************************************************

  
 Please verify the MD5 checksums of the updates before you install:

  MD5 sum                               Package Name
_____________________________________________________________________________________________
                                       
  06872bdb7868177cdf04169814a25f02      pmake-2.1.35beta-2.i386.rpm
  c583682c3f2b3bd3d7854580b0e758e5      pmake-customs-2.1.35beta-2.i386.rpm
  4cc72823376566879442057beb25cb33      pmake-2.1.35beta-2.src.rpm
_____________________________________________________________________________________________

These packages are GPG signed by Turbolinux for security. Our key
is available here:

 http://www.turbolinux.com/security/tlgpgkey.asc

To verify a package, use the following command:

 rpm --checksig name_of_rpm

To examine only the md5sum, use the following command:

 md5sum name_of_rpm

**Note: Checking GPG keys requires RPM 3.0 or higher.

________________________________________________________________________________________________

You can find more updates on our ftp server:

   ftp://ftp.turbolinux.com/pub/updates/6.0/security/ 

for TL6.x Workstation and Server security updates

Our webpage for security announcements:

   http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

   security@turbolinux.com
________________________________________________________________________________________________

Subscribe to the Turbolinux Security Mailing lists:

  TL-security - A moderated list for discussing security issues
                Turbolinux products.
  Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

  TL-security-announce - An announce-only mailing list for security
                         updates and alerts.

  Subscribe at:

      http://www.turbolinux.com/mailman/listinfo/tl-security-announce

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: pgpenvelope 2.10.0 - http://pgpenvelope.sourceforge.net/

iD8DBQE7DsmCcpw52/ZatwoRAtDkAJ9UOpJ7HlL9tatftFiqKGtUTAZWuwCcDw4Y
FlmQY9GJzOiSUe+Z+uYGOo0=
=2A9V
-----END PGP SIGNATURE-----



_______________________________________________
TL-Security-Announce mailing list
TL-Security-Announce@www.turbolinux.com
http://www.turbolinux.com/mailman/listinfo/tl-security-announce