Red Hat: mc security vulnerabilities fix
Summary
Summary
Midnight Commander (mc) is a visual shell much like a file manager. Shell escape bugs have been discovered in several of the mc vfs backend scripts. An attacker who is able to influence a victim to open a specially-crafted URI using mc could execute arbitrary commands as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0494 to this issue. Users of mc should upgrade to this updated package which contains backported patches and is not vulnerable to this issue.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
5. Bug IDs fixed (http://bugzilla.redhat.com/):
127974 - CAN-2004-0494 extfs vfs vulnerability in mc
6. RPMs required:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1:
SRPMS:
afec2c565d6a6ddef751653eebaa3ad6 mc-4.5.51-36.4.src.rpm
i386:
565ad0abe3823a8c003e585ebc44556c gmc-4.5.51-36.4.i386.rpm
10f69a32fd981ffcb2c018e070ca9b62 mc-4.5.51-36.4.i386.rpm
100b1d71bd280502b5db3809b56f3a48 mcserv-4.5.51-36.4.i386.rpm
ia64:
998718f8ed57261a5553abbfd9a0b44b gmc-4.5.51-36.4.ia64.rpm
662118226d4084bbe6e67f19f7918af1 mc-4.5.51-36.4.ia64.rpm
03e4390ff9254bdd57c08fdc7ca76f4a mcserv-4.5.51-36.4.ia64.rpm
Red Hat Linux Advanced Workstation 2.1:
SRPMS:
afec2c565d6a6ddef751653eebaa3ad6 mc-4.5.51-36.4.src.rpm
ia64:
998718f8ed57261a5553abbfd9a0b44b gmc-4.5.51-36.4.ia64.rpm
662118226d4084bbe6e67f19f7918af1 mc-4.5.51-36.4.ia64.rpm
03e4390ff9254bdd57c08fdc7ca76f4a mcserv-4.5.51-36.4.ia64.rpm
Red Hat Enterprise Linux WS version 2.1:
SRPMS:
afec2c565d6a6ddef751653eebaa3ad6 mc-4.5.51-36.4.src.rpm
i386:
565ad0abe3823a8c003e585ebc44556c gmc-4.5.51-36.4.i386.rpm
10f69a32fd981ffcb2c018e070ca9b62 mc-4.5.51-36.4.i386.rpm
100b1d71bd280502b5db3809b56f3a48 mcserv-4.5.51-36.4.i386.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0494
Package List
Topic
Topic
Relevant Releases Architectures
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux WS version 2.1 - i386
Bugs Fixed