[Security Announce] [ MDKSA-2006:154 ] - Updated lesstif packages fix potential local root vulnerability
Posted on: 08/29/2006 08:25 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:154
http://www.mandriva.com/security/
_______________________________________________________________________

Package : lesstif
Date : August 28, 2006
Affected: 2006.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

The libXm library in LessTif 0.95.0 and earlier allows local users to gain
privileges via the DEBUG_FILE environment variable, which is used to create
world-writable files when libXm is run from a setuid program.

The updated packages have been rebuilt with the --enable-production
configure switch in order to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4124
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
5a2095ef8f223e31d66537eb8f4208e7 2006.0/RPMS/lesstif-0.93.94-4.2.20060mdk.i586.rpm
9f25125b71b97ed2a3e55933170a8c5e 2006.0/RPMS/lesstif-clients-0.93.94-4.2.20060mdk.i586.rpm
dc5645d0866df7c724d6ccd2a6b4551f 2006.0/RPMS/lesstif-devel-0.93.94-4.2.20060mdk.i586.rpm
b8b7e00f812b9a401c2e788eb8b2f25e 2006.0/RPMS/lesstif-mwm-0.93.94-4.2.20060mdk.i586.rpm
d2ff104b736c1353ab938605a2933409 2006.0/RPMS/liblesstif1-0.93.94-4.2.20060mdk.i586.rpm
d8a34a5cf582b928b04a045023855583 2006.0/RPMS/liblesstif2-0.93.94-4.2.20060mdk.i586.rpm
c6d1ccdedfc29596ad3c16d3673ab02e 2006.0/SRPMS/lesstif-0.93.94-4.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
0200601fca4f4b46b90ac6ee753a494d x86_64/2006.0/RPMS/lesstif-0.93.94-4.2.20060mdk.x86_64.rpm
9d6303a17d8d96755a4d24632dbfa97b x86_64/2006.0/RPMS/lesstif-clients-0.93.94-4.2.20060mdk.x86_64.rpm
360f72d386d714c965f777aa2271734b x86_64/2006.0/RPMS/lesstif-devel-0.93.94-4.2.20060mdk.x86_64.rpm
0b24f9b55fa69494dbcb06e24be2300b x86_64/2006.0/RPMS/lesstif-mwm-0.93.94-4.2.20060mdk.x86_64.rpm
747cfa1520babbfbbbdbca0efb7fab5e x86_64/2006.0/RPMS/lib64lesstif1-0.93.94-4.2.20060mdk.x86_64.rpm
c816c37d83b85770e1001667ee539d70 x86_64/2006.0/RPMS/lib64lesstif2-0.93.94-4.2.20060mdk.x86_64.rpm
d2ff104b736c1353ab938605a2933409 x86_64/2006.0/RPMS/liblesstif1-0.93.94-4.2.20060mdk.i586.rpm
d8a34a5cf582b928b04a045023855583 x86_64/2006.0/RPMS/liblesstif2-0.93.94-4.2.20060mdk.i586.rpm
c6d1ccdedfc29596ad3c16d3673ab02e x86_64/2006.0/SRPMS/lesstif-0.93.94-4.2.20060mdk.src.rpm

Corporate 3.0:
c7cee6a1237c5c06768232890e5c9b75 corporate/3.0/RPMS/lesstif-0.93.94-1.1.C30mdk.i586.rpm
c49db462160fff3aa6dc9c0690cb7c86 corporate/3.0/RPMS/lesstif-clients-0.93.94-1.1.C30mdk.i586.rpm
bac4c3dc97d33fec236e5f92801c64ca corporate/3.0/RPMS/lesstif-devel-0.93.94-1.1.C30mdk.i586.rpm
3f4cbdbbdfd5d1e83d8236ce37c81f9c corporate/3.0/RPMS/lesstif-mwm-0.93.94-1.1.C30mdk.i586.rpm
c5cfffe6870b88fc12220c2b9a45138b corporate/3.0/SRPMS/lesstif-0.93.94-1.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
eadc97c5094cd92c57d97cbde382fb5f x86_64/corporate/3.0/RPMS/lesstif-0.93.94-1.1.C30mdk.x86_64.rpm
852cb3b36147975aa1a53b371c1b6a86 x86_64/corporate/3.0/RPMS/lesstif-clients-0.93.94-1.1.C30mdk.x86_64.rpm
947c9bcb69de35c3eea430f877452d10 x86_64/corporate/3.0/RPMS/lesstif-devel-0.93.94-1.1.C30mdk.x86_64.rpm
754bc9a74f9b50ddf93e056979f7381e x86_64/corporate/3.0/RPMS/lesstif-mwm-0.93.94-1.1.C30mdk.x86_64.rpm
c5cfffe6870b88fc12220c2b9a45138b x86_64/corporate/3.0/SRPMS/lesstif-0.93.94-1.1.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFE84w6mqjQ0CJFipgRArGJAKC4DsiaR+vEoEvJwjVryC8i0VR5vACeIMb7
zMuaXHkPVtRD3ae3/dctbsY=
=6Uev
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2006154__updated_lesstif_packages_fix_potential_local_root_vulnerability.html)