MDKSA-2005:077 - Updated cdrecord packages fix vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: cdrecord
Advisory ID: MDKSA-2005:077
Date: April 20th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
Javier Fernandez-Sanguino Pena discovered that cdrecord created
temporary files in an insecure manner if DEBUG was enabled in
/etc/cdrecord/rscsi. If the default value was used (which stored
the debug output file in /tmp), a symbolic link attack could be used
to create or overwrite arbitrary files with the privileges of the
user invoking cdrecord. Please note that by default this configuration
file does not exist in Mandriva Linux so unless you create it and
enable DEBUG, this does not affect you.
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0866
http://bugs.debian.org/291376
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
b76b1f88a021c51f2ed0e01e1655cced
10.0/RPMS/cdrecord-2.01-0.a28.3.100mdk.i586.rpm
647980c29121e4cb656e0786007e6e5c
10.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.100mdk.i586.rpm
31e3ed2e746db7f53914d063c4cb1ad0
10.0/RPMS/cdrecord-devel-2.01-0.a28.3.100mdk.i586.rpm
7715dc6d38cf9f89be7ec823ce3ae80a
10.0/RPMS/mkisofs-2.01-0.a28.3.100mdk.i586.rpm
ba546809bbddf8d3034e19a9eb7b302d
10.0/SRPMS/cdrecord-2.01-0.a28.3.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
1bc7d6c833f4457fd95f17f98d79015a
amd64/10.0/RPMS/cdrecord-2.01-0.a28.3.100mdk.amd64.rpm
1ddb746abc3a1330b4807a024b3ca9ee
amd64/10.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.100mdk.amd64.rpm
ddf466f2357364d42486693b4532240f
amd64/10.0/RPMS/cdrecord-devel-2.01-0.a28.3.100mdk.amd64.rpm
e899df2f7be3e50b0bd59aef795ffa52
amd64/10.0/RPMS/mkisofs-2.01-0.a28.3.100mdk.amd64.rpm
ba546809bbddf8d3034e19a9eb7b302d
amd64/10.0/SRPMS/cdrecord-2.01-0.a28.3.100mdk.src.rpm
Mandrakelinux 10.1:
794bf04c820b0260d0e694f062c905f2 10.1/RPMS/cdrecord-2.01-1.1.101mdk.i586.rpm
42ec8777385b893d8251599570c36c73
10.1/RPMS/cdrecord-cdda2wav-2.01-1.1.101mdk.i586.rpm
3d058e44f07c83879278baaa495e8450
10.1/RPMS/cdrecord-devel-2.01-1.1.101mdk.i586.rpm
e6a9c9c198b54ea22adc0bd7911cffaf
10.1/RPMS/cdrecord-isotools-2.01-1.1.101mdk.i586.rpm
c1c45207be3fd2ca3aefb58a644bc82a
10.1/RPMS/cdrecord-vanilla-2.01-1.1.101mdk.i586.rpm
37ab3e2083acb6faa1e7b36afe2165a7 10.1/RPMS/mkisofs-2.01-1.1.101mdk.i586.rpm
768f4f60b9790fac5b557746c98e3505 10.1/SRPMS/cdrecord-2.01-1.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
e8480e54f0ceb69ad4b24ef8a708a9b9
x86_64/10.1/RPMS/cdrecord-2.01-1.1.101mdk.x86_64.rpm
6599dacd7cc7f2348afc4b163f958364
x86_64/10.1/RPMS/cdrecord-cdda2wav-2.01-1.1.101mdk.x86_64.rpm
1701e03afa8804c5c98322a90af10ba5
x86_64/10.1/RPMS/cdrecord-devel-2.01-1.1.101mdk.x86_64.rpm
2cfb1b7cd36e366f9f869934a580a996
x86_64/10.1/RPMS/cdrecord-isotools-2.01-1.1.101mdk.x86_64.rpm
77cbb47faa8da69d4757043a50163c97
x86_64/10.1/RPMS/cdrecord-vanilla-2.01-1.1.101mdk.x86_64.rpm
1ecb8362b876ba63d81bafc0079db541
x86_64/10.1/RPMS/mkisofs-2.01-1.1.101mdk.x86_64.rpm
768f4f60b9790fac5b557746c98e3505
x86_64/10.1/SRPMS/cdrecord-2.01-1.1.101mdk.src.rpm
Mandrakelinux 10.2:
e88cb26c11fa7db8cc0d635dc3f09746
10.2/RPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.i586.rpm
d581a2787035515872382465d5a0b52d
10.2/RPMS/cdrecord-cdda2wav-2.01.01-0.a01.6.1.102mdk.i586.rpm
96f46be6665c42b4a24f03cdfecda60f
10.2/RPMS/cdrecord-devel-2.01.01-0.a01.6.1.102mdk.i586.rpm
a7abba59fdf0e767c2d6029ea681c457
10.2/RPMS/cdrecord-isotools-2.01.01-0.a01.6.1.102mdk.i586.rpm
51a00a1b64e8ec4ea09b399ebfce1da1
10.2/RPMS/cdrecord-vanilla-2.01.01-0.a01.6.1.102mdk.i586.rpm
33bab4de7eced57809cb3e88fd4da58c
10.2/RPMS/mkisofs-2.01.01-0.a01.6.1.102mdk.i586.rpm
f3fb0008491fe53605279f76b218cb8d
10.2/SRPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
15a112f392f250ea82a2bc54bb74f32f
x86_64/10.2/RPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
7c872b9867899f5b7f4c30c37ca1c4e0
x86_64/10.2/RPMS/cdrecord-cdda2wav-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
06ebe0c9e9f8c1366d19122d77841270
x86_64/10.2/RPMS/cdrecord-devel-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
fe2c5214b8e5765326177a606afd8995
x86_64/10.2/RPMS/cdrecord-isotools-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
3f16d1f23475953132c39e73d5a5eb36
x86_64/10.2/RPMS/cdrecord-vanilla-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
d41ca3a964192961a8df1ebc51d74b14
x86_64/10.2/RPMS/mkisofs-2.01.01-0.a01.6.1.102mdk.x86_64.rpm
f3fb0008491fe53605279f76b218cb8d
x86_64/10.2/SRPMS/cdrecord-2.01.01-0.a01.6.1.102mdk.src.rpm
Corporate Server 2.1:
41f690bdc4e9ed38a5e07b441dc68e2e
corporate/2.1/RPMS/cdrecord-1.11-0.a32.1.2.C21mdk.i586.rpm
21fd0a4f61d96d8099bfc7e420078997
corporate/2.1/RPMS/cdrecord-cdda2wav-1.11-0.a32.1.2.C21mdk.i586.rpm
a88c902c395ab6922bd187bdb89f9f37
corporate/2.1/RPMS/cdrecord-devel-1.11-0.a32.1.2.C21mdk.i586.rpm
a256764d4fa4206aa252b6abb9826a07
corporate/2.1/RPMS/cdrecord-dvdhack-1.11-0.a32.1.2.C21mdk.i586.rpm
3afc5d3ae2642fc622ba33a70982f22b
corporate/2.1/RPMS/mkisofs-1.15-0.a32.1.2.C21mdk.i586.rpm
9d0ad887fde0366818d4efd867a024c3
corporate/2.1/SRPMS/cdrecord-1.11-0.a32.1.2.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
3a2e0f073569f2b3cfebc2048894515a
x86_64/corporate/2.1/RPMS/cdrecord-1.11-0.a32.1.2.C21mdk.x86_64.rpm
71680076240e7ec0166416eb73e7af7a
x86_64/corporate/2.1/RPMS/cdrecord-cdda2wav-1.11-0.a32.1.2.C21mdk.x86_64.rpm
7395c0654192b3bc1cf2ba298c82df46
x86_64/corporate/2.1/RPMS/cdrecord-devel-1.11-0.a32.1.2.C21mdk.x86_64.rpm
9f2de918b15db99cf89e1e6d3c86c24f
x86_64/corporate/2.1/RPMS/cdrecord-dvdhack-1.11-0.a32.1.2.C21mdk.x86_64.rpm
2644ac211232f9a10aa1519b00f5e364
x86_64/corporate/2.1/RPMS/mkisofs-1.15-0.a32.1.2.C21mdk.x86_64.rpm
9d0ad887fde0366818d4efd867a024c3
x86_64/corporate/2.1/SRPMS/cdrecord-1.11-0.a32.1.2.C21mdk.src.rpm
Corporate 3.0:
3352fc19b054b565996b0322db3ced25
corporate/3.0/RPMS/cdrecord-2.01-0.a28.3.C30mdk.i586.rpm
46df5e69acd47306efcb732942a0365b
corporate/3.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.C30mdk.i586.rpm
8addf58eff5059b2f10daab5766db805
corporate/3.0/RPMS/cdrecord-devel-2.01-0.a28.3.C30mdk.i586.rpm
70c2e71dfaa1f44962a123becf6ec988
corporate/3.0/RPMS/mkisofs-2.01-0.a28.3.C30mdk.i586.rpm
5f772fbe88aab2ae890b71e46c83976f
corporate/3.0/SRPMS/cdrecord-2.01-0.a28.3.C30mdk.src.rpm
Corporate 3.0/X86_64:
11a0aaf96ba4ea707fdbe421ad0dd9ad
x86_64/corporate/3.0/RPMS/cdrecord-2.01-0.a28.3.C30mdk.x86_64.rpm
a8ea5673da05ec4bdbbd95e4c85b91e1
x86_64/corporate/3.0/RPMS/cdrecord-cdda2wav-2.01-0.a28.3.C30mdk.x86_64.rpm
384896d7b6ad11ad8eafac6db166ef8e
x86_64/corporate/3.0/RPMS/cdrecord-devel-2.01-0.a28.3.C30mdk.x86_64.rpm
07615c675d0a11b2f4b78db6d2ba2736
x86_64/corporate/3.0/RPMS/mkisofs-2.01-0.a28.3.C30mdk.x86_64.rpm
5f772fbe88aab2ae890b71e46c83976f
x86_64/corporate/3.0/SRPMS/cdrecord-2.01-0.a28.3.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCZ1OAmqjQ0CJFipgRAideAJ9YPKcVLcK7lfsggj8X28ELtETxtQCffkye
K2ljRmUOow003gkCohr01X8=
=hGQi
-----END PGP SIGNATURE-----