Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: mgetty (200304-09)
Date: Mon, 28 Apr 2003 12:00:52
Message-Id: 20030428101749.22FBF338E6@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200304-09
6 - - - ---------------------------------------------------------------------
7
8 PACKAGE : mgetty
9 SUMMARY : buffer overflow, insecure spool dir
10 DATE : 2003-04-28 10:17 UTC
11 EXPLOIT : remote
12 VERSIONS AFFECTED : <mgetty-1.1.29
13 FIXED VERSION : >=mgetty-1.1.29
14 CVE : CAN-2002-1391 CAN-2002-1392
15
16 - - - ---------------------------------------------------------------------
17
18 * faxspool in mgetty before 1.1.29 uses a world-writable spool directory
19 for outgoing faxes, which allows local users to modify fax transmission
20 privileges.
21
22 * Buffer overflow in cnd-program for mgetty before 1.1.29 allows remote
23 attackers to cause a denial of service and possibly execute arbitrary
24 code via a Caller ID string with a long CallerName argument.
25
26 SOLUTION
27
28 It is recommended that all Gentoo Linux users who are running
29 net-dialup/mgetty upgrade to mgetty-1.1.30 as follows:
30
31 emerge sync
32 emerge mgetty
33 emerge clean
34
35 - - - ---------------------------------------------------------------------
36 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
37 - - - ---------------------------------------------------------------------
38 -----BEGIN PGP SIGNATURE-----
39 Version: GnuPG v1.2.1 (GNU/Linux)
40
41 iD8DBQE+rP/MfT7nyhUpoZMRAokdAJ91QAEmv7Nr7Hzgp43J0HCDwQfBwwCgt1zc
42 P5fwqg1Nhom86cg231An8y4=
43 =nFXu
44 -----END PGP SIGNATURE-----