RH6.0: libtermcap (RHSA-1999:028-01)
Summary
Summary
A buffer overflow existed in libtermcap's tgetent() function,which could cause the user to execute arbitrary code if theywere able to supply their own termcap file.
Under Red Hat Linux 5.2 and 4.2, this could lead to local usersgaining root privileges, as xterm (as well as other possiblysetuid programs) are linked against libtermcap. Under Red HatLinux 6.0, xterm is not setuid root.
Thanks go to Kevin Vajk and the Linux Security Audit team fornoting and providing a fix for this vulnerability.
Solution
For each RPM for your particular architecture, run:
rpm -Uvh filename
where filename is the name of the RPM.
9. Verification:
MD5 sum Package Name
4995cf0a7c181abe56565d82f12c7819 i386/libtermcap-2.0.8-15.i386.rpm
59d18de3f22abe5674575961b1390177 i386/libtermcap-devel-2.0.8-15.i386.rpm
611cdfb7f167242e7d3b2eaac866705a alpha/libtermcap-2.0.8-15.alpha.rpm
76098235237b5f051ad1266193d7b259 alpha/libtermcap-devel-2.0.8-15.alpha.rpm
846ad7a73b25d3eceab1949322337e14 sparc/libtermcap-2.0.8-15.sparc.rpm
6ddde808ec8b5bc7960851ef3188a6dd sparc/libtermcap-devel-2.0.8-15.sparc.rpm
6a29851494601540d642ff557bd590d6 SRPMS/libtermcap-2.0.8-15.src.rpm
These packages are also PGP signed by Red Hat Inc. for security. Our
key is available at:
You can verify each package with the following command:
rpm --checksig filename
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp filename
References
Package List
Topic
Topic
A buffer overflow has been fixed in the tgetent() function of
libtermcap.
2. Bug IDs fixed:
4538
Relevant Releases Architectures
Red Hat Linux 6.0, all architectures
4. Obsoleted by:
None
5. Conflicts with:
None
6. RPMs required:
Intel:
libtermcap-2.0.8-15.i386.rpm
libtermcap-devel-2.0.8-15.i386.rpm
Alpha:
libtermcap-2.0.8-15.alpha.rpm
libtermcap-devel-2.0.8-15.alpha.rpm
SPARC:
libtermcap-2.0.8-15.sparc.rpm
libtermcap-devel-2.0.8-15.sparc.rpm
Source:
libtermcap-2.0.8-15.src.rpm
Architecture neutral:
Bugs Fixed