The sgmltool programs ("sgml2html" and others) are used to convert SGML-files into various other formats.
|
|
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: sgmltool-1.0.9-266
Announcement-ID: SuSE-SA:2001:16
Date: Friday, May 4th, 14:55:35 CEST 2001
Affected SuSE versions: 6.3, 6.4, 7.0, 7.1
Vulnerability Type: local fileaccess problem
Severity (1-10): 2
SuSE default package: yes
Other affected systems: All UN*X systems using this package
Content of this advisory:
1) security vulnerability resolved: sgmltool
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The sgmltool programs ("sgml2html" and others) are used to convert
SGML-files into various other formats.
During operation, the underlying SGML perlmodule creates temporary files
in an insecure way. This allows attackers to destroy arbitrary files owned
by the user who invoked the sgmltool program. The problem has been fixed
by creating temporary files with the exclusive (O_EXCL) option upon
opening them.
Download the update package from locations desribed below and install
the package with the command `rpm -Uhv file.rpm'. The md5sum for each
file is in the line below. You can verify the integrity of the rpm
files using the command
`rpm --checksig --nogpg file.rpm',
independently from the md5 signatures below.
i386 Intel Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sgm1/sgmltool-1.0.9-302.i386.rpm
bdedaefb82dc2bb8ff0a522607b80ac3
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sgmltool-1.0.9-302.src.rpm
dc5612aa475c5d6dcaaeee86e6bf985f
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/sgm1/sgmltool-1.0.9-301.i386.rpm
916953307d466d3bd8d26fb0655ce55a
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/sgmltool-1.0.9-301.src.rpm
5e11b85a494e1033ee2a83839cb296fe
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/sgm1/sgmltool-1.0.9-300.i386.rpm
a489acc5c3dce4c44915e47b3ee64790
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/sgmltool-1.0.9-300.src.rpm
efdb6b08988b689127600a954ebe2e2f
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/sgm1/sgmltool-1.0.9-300.i386.rpm
9c1e5da161b67248935cbc7f485dfd40
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/sgmltool-1.0.9-300.src.rpm
a2deae294821e73ed24429636b20ed2a
Sparc Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sgm1/sgmltool-1.0.9-283.sparc.rpm
b3e0ec269392fb3d77c37cc698f77d16
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/sgmltool-1.0.9-283.src.rpm
eb80b6efe08f40139ec181fed7ccc832
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/sgm1/sgmltool-1.0.9-284.sparc.rpm
8312ac046de5df7a47008dba32f1a7e8
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/sgmltool-1.0.9-284.src.rpm
a7e48214ae01f4f720240c1204120927
AXP Alpha Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/sgm1/sgmltool-1.0.9-283.alpha.rpm
06348dc4b669098d80bc16a8cc836123
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/sgmltool-1.0.9-283.src.rpm
c7c7ff5507f7a510d615235323f9f636
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/sgm1/sgmltool-1.0.9-281.alpha.rpm
ee6bb4dd45c90ba716f0d825fba7bbca
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/sgmltool-1.0.9-281.src.rpm
44366d7edcace3448a606aff0c73026f
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/sgm1/sgmltool-1.0.9-281.alpha.rpm
2c2450e3dfdde9066269add9cfb0757b
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/sgmltool-1.0.9-281.src.rpm
66a9d60866a5ebbb2e0682a2056f2528
PPC Power PC Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sgm1/sgmltool-1.0.9-216.ppc.rpm
01bda0ee0edfa1e1036d27b2bb3de352
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/sgmltool-1.0.9-216.src.rpm
1c6668d3ccc1b27bb3d5a4f84b308323
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/sgm1/sgmltool-1.0.9-216.ppc.rpm
e9b7161fe3a10624790ce65d9909165d
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/sgmltool-1.0.9-216.src.rpm
15b8204b9378f8e833e6bac263bbacdd
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/sgm1/sgmltool-1.0.9-216.ppc.rpm
6af30c53d022866df5dd69ae053eeeea
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/sgmltool-1.0.9-216.src.rpm
35aa3ab2a86498c5e6ad145c0c7e378a
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- Marcus Meissner (Caldera) found a bug in KDE 2.1.*'s kdesu program
which allows attackers to gather private information. This is due to
insecure local filehandling by the kdesu program. Please update to
the newest packages.
- minicom
format string vulnerabilities have been found in the minicom package.
If /usr/bin/minicom is installed suid, the vulnerability may be
exploited to gain elevated privileges. Please note that this is not
the case in SuSE distributions. If you decided to make /usr/bin/minicom
suid uucp or even suid root, please make sure that you grant access to
the execution of minicom to trusted users only.
- cfingerd
The package has been found vulnerable to a remotely exploitable
weakness. SuSE Linux distributions do not ship this version of
fingerd.
- webmin
Insecure handling of temporary files has been found in webmin, a
comprehensive administration webinterface. SuSE distributions do not
contain the webmin package and therefore are not vulnerable to the
found vulnerabilities by default. We urge administrators who use
webmin to upgrade to the latest version of webmin available.
- gnupg/gpg, openssl
Several weaknesses have been found in gnupg/gpg that can reduce the
strength of encrypted data. We will provide updates for the gnupg/gpg
package. The updates are currently being tested.
______________________________________________________________________________
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe@suse.com>.
suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.
===============================================
SuSE's security contact is <security@suse.com>.
===============================================
Regards,
Sebastian Krahmer
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBOvKmBHey5gA9JdPZAQFNrQf/WNKH2qdtejRaCkmkqO0h2zMSKrhWDmqA
v0vhSI/iG+Ax+SXq2Jt7hhGbi8qNBGEGQI4Pm1gA66prJgDsh6azwqCCDU33Q8AK
nQ0smS65VaFJsc5inSM/KIa33mpA82uwkihmTFUxrt0zh96Pqgbdu4ayr2BqlGCD
G7QRQD79RFzJwMDlmrAZjAHslKe3RlXwXcyXfUgWZnkNW+Ehv6Pd1Zqj/EyIDHhg
T6f5t5+QxCoIKiw1aVbW8UZ4Kpk0wMzfoU0A/INS8omEgDZFPxdm7woNDXYvlrfp
l7MS1/fqt9LqFZOW+XGFvVJOrKhSbDPxQ96W8Oft6mAx8XhH5se3Mw==
=WRNV
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.0
: Mon Jun 04 2001 - 18:25:16 PDT
|