[PLDSA 43-1] New man packages fix local arbitrary code execution

Krzysiek Taraszka dzimi at pld.org.pl
Sat May 3 15:44:29 CEST 2003 

- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 43-1                       security at pld.org.pl
http://www.pld.org.pl/security/                          PLD Security Team
12 March 2003				http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------

Package        : prior to man-1.5k-2
Vulnerability  : arbitrary code execution
Problem-Type   : local
PLD-specific   : no

Fixed a bug which results in arbitrary code execution upon reading a 
specially formatted man file. The basic problem is, upon finding a string 
with a quoting problem, the function my_xsprintf in util.c will return 
"unsafe" (rather than returning a string which could be interpreted by the 
shell). This return value is passed directly to system(3) - meaning if there 
is any program named `unsafe`, it will execute with the privs of the user.

The above problems have been fixed in version 1.5l-2 for the
current stable distribution (ra).

We recommend that you upgrade your man packages.

wget -c url
	will fetch the file for you
rpm -Uhv file(s)*.rpm
        will upgrade the referenced file.

If you are using "poldek" - the package manager, use the line as given below
for upgrade packages

poldek --update
        will update the internal database
poldek --upgrade 'man*'
        will install corrected packages

If you are using "apt" - the package manager, use the line as given below
for upgrade packages

apt-get update
        will update the internal database
apt-get upgrade 'man*'
        will install corrected packages

PLD Linux 1.0 alias ra
- --------------------

  Source archives:

ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/man-1.5l-2.src.rpm
       MD5 checksum: 595606ee0a81dce6eacdf96ba717417c

  I386 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/man-1.5l-2.i386.rpm
       MD5 checksum: 2709f11b7d2ca8d1dbbd131261a83005

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/man-config-1.5l-2.i386.rpm
       MD5 checksum: dd7702e6f0598e789b6370c4bd20934b

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/man2html-1.5l-2.i386.rpm
       MD5 checksum: 378a3dc6d7219ba3201bcc211b56d786

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/man2html-cgi-1.5l-2.i386.rpm
       MD5 checksum: 586807b7f589145676186f1f86f53966


  I586 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/man-1.5l-2.i586.rpm
       MD5 checksum: afd94a18e2a45c642242302b25a02f0c

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/man-config-1.5l-2.i586.rpm
       MD5 checksum: 53ede41c5fb67c4c7644b10696917844

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/man2html-1.5l-2.i586.rpm
       MD5 checksum: fcfa78a53b5ced56cefea0b17c4abe95

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/man2html-cgi-1.5l-2.i586.rpm
       MD5 checksum: 4114d258244dbef825225f6d3de58241


  I686 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/man-1.5l-2.i686.rpm
       MD5 checksum: 7bb26abd0a97006583d17da13f961f44

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/man-config-1.5l-2.i686.rpm
       MD5 checksum: be1270911fcfe2d3e6aae42ecc778153

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/man2html-1.5l-2.i686.rpm
       MD5 checksum: 08726e20b0affac35ce75106d82b2f72

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/man2html-cgi-1.5l-2.i686.rpm
       MD5 checksum: b6c32e83ded4dbe3bd5e1f2736cd565e


  PowerPC Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/man-1.5l-2.ppc.rpm
       MD5 checksum: b8aecacc233f8947c7197adabe0dcad6

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/man-config-1.5l-2.ppc.rpm
       MD5 checksum: 2d392580575bed95d75d36dbbe3415f9

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/man2html-1.5l-2.ppc.rpm
       MD5 checksum: 55ad895178d5742211b724f04f2b2db4

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/man2html-cgi-1.5l-2.ppc.rpm
       MD5 checksum: 0120cca3bc155dc3b53aff47a7341be8


-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.

For i386 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security

More information about the pld-security-announce mailing list