Debian alert: New fam packages fix privilege escalation

Posted by dave on Aug 16, 2002 10:09 AM EDT
Mailing list
Mail this story
Print this story

A flaw was discovered in FAM's group handling. In the effect users are unable to FAM directories they have group read and execute permissions on. However, also unprivileged users can potentially learn names of files that only users in root's group should be able to view.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 154-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
August 15th, 2002                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : fam
Vulnerability  : privilege escalation
Problem-Type   : local
Debian-specific: no

A flaw was discovered in FAM's group handling.  In the effect users
are unable to FAM directories they have group read and execute
permissions on.  However, also unprivileged users can potentially
learn names of files that only users in root's group should be able to
view.

This problem been fixed in version 2.6.6.1-5.2 for the current stable
stable distribution (woody) and in version 2.6.8-1 (or any later
version) for the unstable distribution (sid).  The old stable
distribution (potato) is not affected, since it doesn't contain fam
packages.

We recommend that you upgrade your fam packages.

wget url
	will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2.dsc
      Size/MD5 checksum:      582 c85dc0471332fee4a8c479a4da7f8c3c
    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2.diff.gz
      Size/MD5 checksum:     7630 47737eb840520df5d7c1424866627ff7
    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1.orig.tar.gz
      Size/MD5 checksum:   289005 fb1e2a2c01a2a568c2c0f67fa9b90e41

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_alpha.deb
      Size/MD5 checksum:    79350 3b81338188807cb5bca93b1ec6fb57cc
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_alpha.deb
      Size/MD5 checksum:    33064 60940e8809a4bb24c66a3de71acbbcab
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_alpha.deb
      Size/MD5 checksum:    36188 bfa26a28c9841cb7f27f359bc4f5db1d

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_arm.deb
      Size/MD5 checksum:    60328 6407969c77d75c542d588ddbe0894326
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_arm.deb
      Size/MD5 checksum:    29980 1cc6627f802ab8404d48ef2e909f45c8
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_arm.deb
      Size/MD5 checksum:    27844 295f117c1f04a5026a9d1063e5d3ba30

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_i386.deb
      Size/MD5 checksum:    59410 ad9b2cb638c5a8c6516ca7762543c418
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_i386.deb
      Size/MD5 checksum:    29398 e38857597943d466c5e897dc780a4755
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_i386.deb
      Size/MD5 checksum:    32352 caa455f94ae2762987ae7787fc5dde46

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_ia64.deb
      Size/MD5 checksum:    88934 4391dd719917f6daccfa531523e50cd0
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_ia64.deb
      Size/MD5 checksum:    35612 67210b45b17bd2b8b1e3a0f8637fb0df
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_ia64.deb
      Size/MD5 checksum:    45790 a98b08fe026f84fb91f8bff9664538e0

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_hppa.deb
      Size/MD5 checksum:    70668 a6471f295233dab67161c7a0dd64d33f
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_hppa.deb
      Size/MD5 checksum:    32162 382fe3ba40ded1397b710d4bf777e0d9
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_hppa.deb
      Size/MD5 checksum:    33464 057620d63f5a8d384e33bb38ba91e6e2

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_m68k.deb
      Size/MD5 checksum:    57592 6b37b2878101173347e17f374e84f721
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_m68k.deb
      Size/MD5 checksum:    29124 2c1dfc0ec88e3f07fa701ca69aaa44bc
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_m68k.deb
      Size/MD5 checksum:    32912 b9936e5818e30388b16531a81ba2ff07

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_mips.deb
      Size/MD5 checksum:    74602 6df218b9cf0d02ac80b14e804577398a
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_mips.deb
      Size/MD5 checksum:    31370 b4de3a6b76911da3444ca6639989c38e
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_mips.deb
      Size/MD5 checksum:    31894 fd8cce0df31ed5e90c8e7414f0c0fcd9

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_mipsel.deb
      Size/MD5 checksum:    73924 17385ca599e2c96bf29b3ad629462d12
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_mipsel.deb
      Size/MD5 checksum:    31458 6ded23d5b78f63ae2464cfd2186daec0
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_mipsel.deb
      Size/MD5 checksum:    31724 c195749053e15ce4c58083e8bb19045a

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_powerpc.deb
      Size/MD5 checksum:    58322 2d6c9f5656603d038927a58f8471fd4f
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_powerpc.deb
      Size/MD5 checksum:    29892 6352ac12a99d6b96b08c0aa6230165df
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_powerpc.deb
      Size/MD5 checksum:    33190 cb5b5e3abf22f06b96449c20ba910732

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_s390.deb
      Size/MD5 checksum:    57232 6c739fb150162d7ecf6d5c6d1d1162a6
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_s390.deb
      Size/MD5 checksum:    28484 5b72634dafe0c01dd299eb429464d698
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_s390.deb
      Size/MD5 checksum:    32238 bfc10afb0c1319045ee8da9ddd73d231

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fam/fam_2.6.6.1-5.2_sparc.deb
      Size/MD5 checksum:    56796 f6e96ed2f69da1320b3a29ccea07ac9b
    http://security.debian.org/pool/updates/main/f/fam/libfam-dev_2.6.6.1-5.2_sparc.deb
      Size/MD5 checksum:    28808 3973d1c70bf91f4bc0a0665ef1dd5f83
    http://security.debian.org/pool/updates/main/f/fam/libfam0_2.6.6.1-5.2_sparc.deb
      Size/MD5 checksum:    30868 612c31405105f6ddfafdaf7a46ba8215


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9XT/AW5ql+IAeqTIRAoWnAKCZZScj9/rkqeOw81K/eh9IPRWjVwCgh3TT
97nlrEWCM+4v6Xze9BXZOhU=
=N+v2
-----END PGP SIGNATURE-----


  Nav
» Read more about: Story Type: Security; Groups: Debian

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.