[Security Announce] [ MDKSA-2007:046 ] - Updated gnucash packages fix temp file issues.
Posted on: 02/21/2007 04:35 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:046
http://www.mandriva.com/security/
_______________________________________________________________________

Package : gnucash
Date : February 21, 2007
Affected: 2007.0
_______________________________________________________________________

Problem Description:

Gnucash 2.0.4 and earlier allows local users to overwrite arbitrary
files via a symlink attack on the (1) gnucash.trace, (2) qof.trace,
and (3) qof.trace.[PID] temporary files.

Updated package have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0007
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
a8b619c62b08ffe1a0a94123450c9182 2007.0/i586/gnucash-2.0.1-1.1mdv2007.0.i586.rpm
4670eabd1f6b6ac60d6c0fa6bbf86fae 2007.0/i586/gnucash-hbci-2.0.1-1.1mdv2007.0.i586.rpm
071c5a28526cc29b99d47485d95b5115 2007.0/i586/gnucash-ofx-2.0.1-1.1mdv2007.0.i586.rpm
fa58ac7785e11552ad48bc35427ee689 2007.0/i586/gnucash-sql-2.0.1-1.1mdv2007.0.i586.rpm
3f8f689dd645e73822bd5baa6ba4db1f 2007.0/i586/libgnucash0-2.0.1-1.1mdv2007.0.i586.rpm
336f63153412b508077cc655d6ce9e76 2007.0/i586/libgnucash0-devel-2.0.1-1.1mdv2007.0.i586.rpm
ae715153145554dab009d40e68148ce7 2007.0/SRPMS/gnucash-2.0.1-1.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
5e30146412acbec8657a8f4590146279 2007.0/x86_64/gnucash-2.0.1-1.1mdv2007.0.x86_64.rpm
725b0c74c9335e4698e634ebc34788da 2007.0/x86_64/gnucash-hbci-2.0.1-1.1mdv2007.0.x86_64.rpm
15c729b3a02cef72a3b1e019a2a17415 2007.0/x86_64/gnucash-ofx-2.0.1-1.1mdv2007.0.x86_64.rpm
00724c0891a6e67973c6c9bce8dc25a3 2007.0/x86_64/gnucash-sql-2.0.1-1.1mdv2007.0.x86_64.rpm
db2b23ba27b6651b0452cfa7463b8e4e 2007.0/x86_64/lib64gnucash0-2.0.1-1.1mdv2007.0.x86_64.rpm
c97bf9c1d352b89f59572c1762fd5930 2007.0/x86_64/lib64gnucash0-devel-2.0.1-1.1mdv2007.0.x86_64.rpm
ae715153145554dab009d40e68148ce7 2007.0/SRPMS/gnucash-2.0.1-1.1mdv2007.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF3DLMmqjQ0CJFipgRAt2RAKCCzmFjfyOFGghSbGds6VJADW06SgCeOBxk
83o9HUJXkIavyn7zZX2Re+w=
=4LLz
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007046__updated_gnucash_packages_fix_temp_file_issues.html)