Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: lprng (200306-04)
Date: Sat, 14 Jun 2003 16:43:28
Message-Id: 20030614164018.96D1B33783@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200306-04
6 - - - ---------------------------------------------------------------------
7
8           PACKAGE : lprng
9           SUMMARY : symbolic link attack
10              DATE : 2003-06-14 16:40 UTC
11           EXPLOIT : local
12 VERSIONS AFFECTED : <lprng-3.8.12-r1
13     FIXED VERSION : >=lprng-3.8.12-r1
14               CVE : CAN-2003-0136
15
16 - - - ---------------------------------------------------------------------
17
18 psbanner in the LPRng package allows local users to overwrite arbitrary
19 files via a symbolic link attack on the /tmp/before file.
20
21 SOLUTION
22
23 It is recommended that all Gentoo Linux users who are running
24 net-print/lprng upgrade to lprng-3.8.12-r1 as follows
25
26 emerge sync
27 emerge lprng
28 emerge clean
29
30 - - - ---------------------------------------------------------------------
31 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
32 - - - ---------------------------------------------------------------------
33 -----BEGIN PGP SIGNATURE-----
34 Version: GnuPG v1.2.2 (GNU/Linux)
35
36 iD8DBQE+60/yfT7nyhUpoZMRApsGAJ4n+2mfrL/F9DAL9eg0ggh+XGOS+ACeLp24
37 B/u/+deWB5K8uX3PhtA8HqI=
38 =T6zX
39 -----END PGP SIGNATURE-----