Date: Wed, 26 Sep 2001 11:30 -0400
From: bugzilla@redhat.com
To: redhat-watch-list@redhat.com
Subject: [RHSA-2001:110-05] Insecure setserial initscript
Cc: bugtraq@securityfocus.com, linux-security@redhat.com, security@redhat.com
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Insecure setserial initscript
Advisory ID: RHSA-2001:110-05
Issue date: 2001-09-12
Updated on: 2001-09-19
Product: Red Hat Linux
Ключевые слова:, , , , , , , , , setserial, initscript, temporary, file, (найти похожие документы)
Cross references:=20=20
Obsoletes:=20=20=20=20=20=20=20=20=20
---------------------------------------------------------------------
1. Topic:
The initscript distributed with the setserial package (which is not
installed or enabled by default) uses predictable temporary file names, and
should not be used. setserial-2.17-4 and earlier versions are affected.
If you have not recompiled your kernel, this issue does not affect you. To=
=20
check if you are affected by this issue, use the following command:
/bin/ls /etc/rc.d/init.d/serial
If this gives the output '/etc/rc.d/init.d/serial' then the initscript=20
has been manually installed. In this case use the following command:
/sbin/modprobe -l | grep '/serial\.o'
If this command gives output, you are affected by this issue.
2. Relevant releases/architectures:
3. Problem description:
The setserial package comes with an initscript in the documentation=20
directory. If this initscript is manually copied into the init.d=20
directory structure and enabled, and the kernel is recompiled to have=20
modular serial port support, then the initscript will use a predictable=20
temporary file name.
There are a number of other bugs that also prevent the initscript from
working correctly in this situation (detailed in bugzilla bug #52862).
4. Solution:
Do not use the initscript supplied with setserial. To disable it, use=20
the following command:
/sbin/chkconfig serial off
Alternatively, if your system needs manual adjustment of its serial
port settings and you wish to have those adjustments re-applied
automatically on boot, be sure to use a kernel that has non-modular
serial port support, such as those supplied by Red Hat, Inc.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
6. RPMs required:
7. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
8. References:
Bugzilla bug #52862, at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D52862
Copyright(c) 2000, 2001 Red Hat, Inc.
