Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200406-02 ] tripwire: Format string vulnerability
Date: Fri, 04 Jun 2004 21:46:00
Message-Id: 40C0ED45.9080602@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200406-02
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: High
11 Title: tripwire: Format string vulnerability
12 Date: June 04, 2004
13 Bugs: #52945
14 ID: 200406-02
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 A vulnerability allowing arbitrary code execution under certain
22 circumstances has been found.
23
24 Background
25 ==========
26
27 tripwire is an open source file integrity checker.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 app-admin/tripwire <= 2.3.1.2 >= 2.3.1.2-r1
36
37 Description
38 ===========
39
40 The code that generates email reports contains a format string
41 vulnerability in pipedmailmessage.cpp.
42
43 Impact
44 ======
45
46 With a carefully crafted filename on a local filesystem an attacker
47 could cause execution of arbitrary code with permissions of the user
48 running tripwire, which could be the root user.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All tripwire users should upgrade to the latest stable version:
59
60 # emerge sync
61
62 # emerge -pv ">=app-admin/tripwire-2.3.1.2-r1"
63 # emerge ">=app-admin/tripwire-2.3.1.2-r1"
64
65 References
66 ==========
67
68 [ 1 ] Bugtraq Announcement
69
70 http://www.securityfocus.com/archive/1/365036/2004-05-31/2004-06-06/0
71
72 Availability
73 ============
74
75 This GLSA and any updates to it are available for viewing at
76 the Gentoo Security Website:
77
78 http://security.gentoo.org/glsa/glsa-200406-02.xml
79
80 Concerns?
81 =========
82
83 Security is a primary focus of Gentoo Linux and ensuring the
84 confidentiality and security of our users machines is of utmost
85 importance to us. Any security concerns should be addressed to
86 security@g.o or alternatively, you may file a bug at
87 http://bugs.gentoo.org.
88
89 License
90 =======
91
92 Copyright 2004 Gentoo Technologies, Inc; referenced text
93 belongs to its owner(s).
94
95 The contents of this document are licensed under the
96 Creative Commons - Attribution / Share Alike license.
97
98 http://creativecommons.org/licenses/by-sa/1.0
99
100 -----BEGIN PGP SIGNATURE-----
101 Version: GnuPG v1.2.4 (GNU/Linux)
102 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
103
104 iD8DBQFAwO1FvcL1obalX08RAkrZAJ9Q7rq0lHme7mugx5gqNJsQA1+4fACgoByQ
105 1bQVhKo0jRXswMknBjPSVn4=
106 =t7dZ
107 -----END PGP SIGNATURE-----