Security hole in Man (man_db)
Summary
______________________________________________________________________________
SuSE Security Announcement
Package: man-2.3.10-42
Date: Tue Jun 29 00:22:52 CEST 1999
Affected: all Linux distributions using man-2.3.10
______________________________________________________________________________
A security hole was discovered in the package mentioned above.
Please update as soon as possible or disable the service if you are using
this software on your SuSE Linux installation(s).
Other Linux distributions or operating systems might be affected as
well, please contact your vendor for information about this issue.
Please note, that that we provide this information on as "as-is" basis only.
There is no warranty whatsoever and no liability for any direct, indirect or
incidental damage arising from this information or the installation of
the update package.
______________________________________________________________________________
1. Problem Description
The zsoelim program, which is part of the man package, creates files
in /tmp without security checkings.
2. Impact
By creating symbolic links an attacker could overwrite files with the
permissions of the user executing man.
3. Solution
Install the updated man package, which is available from our
ftp server since some weeks.
______________________________________________________________________________
Here are the md5 checksums of the upgrade packages, please verify these
before installing the new packages:
d95cbd1e35924738c7e53226d2298a4b man-2.3.10-76.i386.rpm
cc96fa227766d50001d2800349bccb52 man-2.3.10-76.src.rpm
______________________________________________________________________________
You will find the updates on our ftp-Server:
(glibc)
(Source)
Webpage for patches:
http://www.suse.de/patches/index.html
or try the following web pages for a list of mirrors:
http://www.suse.de/ftp.html
______________________________________________________________________________
References
