Date: Thu, 21 Feb 2002 17:08 -0500
From: bugzilla@redhat.com
To: redhat-watch-list@redhat.com
Subject: [RHSA-2002:020-05] Updated ncurses4 compat packages are available
Cc: bugtraq@securityfocus.com, linux-security@redhat.com
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated ncurses4 compat packages are available
Advisory ID: RHSA-2002:020-05
Issue date: 2002-01-29
Updated on: 2002-02-19
Product: Red Hat Linux
Ключевые слова:, , , , , , , , , ncurses4, buffer, overrun, overflow, ncurses5, (найти похожие документы)
Cross references:=20=20
Obsoletes:=20=20=20=20=20=20=20=20=20
---------------------------------------------------------------------
1. Topic:
Updated ncurses4 compatability packages which fix a potential security
problem are available.
2. Relevant releases/architectures:
Red Hat Linux 7.0 - alpha, i386
Red Hat Linux 7.1 - alpha, i386
Red Hat Linux 7.2 - i386
3. Problem description:
The ncurses library provides a terminal-independent method of screen
handling.
A problem has been found in ncurses version 5.0 that could cause a buffer
overflow. This overflow could be locally exploited if the library is
linked into a program that runs setuid or setgid.
Red Hat Linux ships with a compatibility package 'ncurses4' that is
actually based on ncurses version 5.0 but has been made ABI compatible
with ncurses 4.
No programs that ship with Red Hat Linux are exploitable. A program could
only be exploited if it uses the ncurses 4 compatiblity package and if it
is run setuid or setgid.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0062 to this issue. Thanks to Daniel
Jacobowitz at MontaVista Software for alerting us to this issue.
4. Solution:
Before applying this update, make sure all previously released errata=20
relevant to your system have been applied.=20
=20
To update all RPMs for your particular architecture, run:=20
=20
rpm -Fvh [filenames]=20
=20
where [filenames] is a list of the RPMs you wish to upgrade. Only those=20
RPMs which are currently installed will be updated. Those RPMs which are=
=20
not installed but included in the list will not be updated. Note that=20
you=20
can also use wildcards (*.rpm) if your current directory *only* contains=20
the=20
desired RPMs.=20
=20
Please note that this update is also available via Red Hat Network.=20=20
Many=20
people find this an easier way to apply updates. To use Red Hat=20
Network,=20
launch the Red Hat Update Agent with the following command:=20
=20
up2date=20
=20
This will start an interactive process that will result in the=20
appropriate=20
RPMs being upgraded on your system.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
6. RPMs required:
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/ncurses4-5.0-5.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/ncurses4-5.0-5.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/ncurses4-5.0-5.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/ncurses4-5.0-5.src.rpm
alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/ncurses4-5.0-5.alpha.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/ncurses4-5.0-5.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/ncurses4-5.0-5.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/ncurses4-5.0-5.i386.rpm
7. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
53856e0c3219de2fcb4e56600b4eb3b9 7.0/en/os/SRPMS/ncurses4-5.0-5.src.rpm
b470c5cf9eaaa4710a09e114aced3f4d 7.0/en/os/alpha/ncurses4-5.0-5.alpha.rpm
b5ad8bc36c129534192e0dbce582f5ed 7.0/en/os/i386/ncurses4-5.0-5.i386.rpm
53856e0c3219de2fcb4e56600b4eb3b9 7.1/en/os/SRPMS/ncurses4-5.0-5.src.rpm
b470c5cf9eaaa4710a09e114aced3f4d 7.1/en/os/alpha/ncurses4-5.0-5.alpha.rpm
b5ad8bc36c129534192e0dbce582f5ed 7.1/en/os/i386/ncurses4-5.0-5.i386.rpm
53856e0c3219de2fcb4e56600b4eb3b9 7.2/en/os/SRPMS/ncurses4-5.0-5.src.rpm
b5ad8bc36c129534192e0dbce582f5ed 7.2/en/os/i386/ncurses4-5.0-5.i386.rpm
=20
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-0062
Copyright(c) 2000, 2001 Red Hat, Inc.
