Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Thu, 14 Nov 2002 14:22:51 -0800
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
Subject: Security Update: [CSSA-2002-045.0] Linux: python insecure temporary files in os._execvpe

--hQiwHBbRI9kgIhsi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@li=
nuxsecurity.com full-disclosure@lists.netsys.com

___________________________________________________________________________=
___

			SCO Security Advisory

Subject:		Linux: python insecure temporary files in os._execvpe=20
Advisory number: 	CSSA-2002-045.0
Issue date: 		2002 November 14
Cross reference:
___________________________________________________________________________=
___


1. Problem Description

	os._execvpe from os.py in Python creates temporary files with
	predictable names, which could allow local users to execute
	arbitrary code via a symlink attack.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to python-1.5.2-23.i386.rpm
					prior to python-devel-1.5.2-23.i386.rpm
					prior to python-docs-1.5.2-23.i386.rpm
					prior to python-tools-1.5.2-23.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to python-1.5.2-23.i386.rpm
					prior to python-devel-1.5.2-23.i386.rpm
					prior to python-docs-1.5.2-23.i386.rpm
					prior to python-tools-1.5.2-23.i386.rpm

	OpenLinux 3.1 Server		prior to python-1.5.2-23.i386.rpm
					prior to python-devel-1.5.2-23.i386.rpm
					prior to python-docs-1.5.2-23.i386.rpm
					prior to python-tools-1.5.2-23.i386.rpm

	OpenLinux 3.1 Workstation	prior to python-1.5.2-23.i386.rpm
					prior to python-devel-1.5.2-23.i386.rpm
					prior to python-docs-1.5.2-23.i386.rpm
					prior to python-tools-1.5.2-23.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-045.0/RPMS

	4.2 Packages

	d02a87d515a2e0295b61a70e21d85d67	python-1.5.2-23.i386.rpm
	f026986740ce3b24aa75a6ef6d6f813d	python-devel-1.5.2-23.i386.rpm
	a4d8a3a8a6011f4d87d1a3c3e75150d1	python-docs-1.5.2-23.i386.rpm
	6283c3abfb5a339d6f3c8e1b2b0304fc	python-tools-1.5.2-23.i386.rpm

	4.3 Installation

	rpm -Fvh python-1.5.2-23.i386.rpm
	rpm -Fvh python-devel-1.5.2-23.i386.rpm
	rpm -Fvh python-docs-1.5.2-23.i386.rpm
	rpm -Fvh python-tools-1.5.2-23.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-045.0/SRPMS

	4.5 Source Packages

	3041180ed79446f6a8cd8cfedff00c26	python-1.5.2-23.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-045.0/=
RPMS

	5.2 Packages

	6d2e343894471d4a93526a50e58af0a0	python-1.5.2-23.i386.rpm
	b6deb353e9a98e9b0e340e8b477a824a	python-devel-1.5.2-23.i386.rpm
	7add35e7aef1386039852737a86ddbee	python-docs-1.5.2-23.i386.rpm
	6171e897385c76edf00c0e02f08347cf	python-tools-1.5.2-23.i386.rpm

	5.3 Installation

	rpm -Fvh python-1.5.2-23.i386.rpm
	rpm -Fvh python-devel-1.5.2-23.i386.rpm
	rpm -Fvh python-docs-1.5.2-23.i386.rpm
	rpm -Fvh python-tools-1.5.2-23.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-045.0/=
SRPMS

	5.5 Source Packages

	0ab0a2c193ec4031d706648ab2b3b9d1	python-1.5.2-23.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-045.0/RPMS

	6.2 Packages

	d294fd2d394f464e21866a08e0023b08	python-1.5.2-23.i386.rpm
	4c17a3b0bc297dd2efe5cd1857894ac7	python-devel-1.5.2-23.i386.rpm
	ed4acb8309c022ed86ca6f70d6a76977	python-docs-1.5.2-23.i386.rpm
	3fc021186ac2ff05af448c945481a6d5	python-tools-1.5.2-23.i386.rpm

	6.3 Installation

	rpm -Fvh python-1.5.2-23.i386.rpm
	rpm -Fvh python-devel-1.5.2-23.i386.rpm
	rpm -Fvh python-docs-1.5.2-23.i386.rpm
	rpm -Fvh python-tools-1.5.2-23.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-045.0/SRPMS

	6.5 Source Packages

	fd76ce8a916c54b2bb39c59dfab108ab	python-1.5.2-23.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-045.0/RP=
MS

	7.2 Packages

	63778bc0ecd4b9d0bea8d13f0c8f6675	python-1.5.2-23.i386.rpm
	e0321c8e207b61596f0a229c5a39d637	python-devel-1.5.2-23.i386.rpm
	c990c27494f5be2197d04a9547e7fa6b	python-docs-1.5.2-23.i386.rpm
	8af51bc909042691f3578fcc5c3e2ca2	python-tools-1.5.2-23.i386.rpm

	7.3 Installation

	rpm -Fvh python-1.5.2-23.i386.rpm
	rpm -Fvh python-devel-1.5.2-23.i386.rpm
	rpm -Fvh python-docs-1.5.2-23.i386.rpm
	rpm -Fvh python-tools-1.5.2-23.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-045.0/SR=
PMS

	7.5 Source Packages

	9dcbab4cbf814be8291b5a68241176f2	python-1.5.2-23.src.rpm


8. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1119

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr868648, fz525980,
	erg712115.


9. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.

___________________________________________________________________________=
___

--hQiwHBbRI9kgIhsi
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj3UIjsACgkQbluZssSXDTF0QgCfdzosvgtJc8AbzDrpa0+Akr8r
VL8Anif51Q9TAnH0VK5SvUz8ZvpQA9rJ
=6rN2
-----END PGP SIGNATURE-----

--hQiwHBbRI9kgIhsi--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: