U radu programskog paketa Foomatic uočena su dva sigurnosna propusta koje lokalni napadač može iskoristiti za prepisivanje proizvoljnih datoteka.
| Paket: |
foomatic 4.x |
| Operacijski sustavi: |
Fedora 16 |
| Problem: |
pogreška u programskoj komponenti |
| Iskorištavanje: |
lokalno |
| Posljedica: |
izmjena podataka |
| Rješenje: |
programska zakrpa proizvođača |
| CVE: |
CVE-2011-2924, CVE-2011-2923 |
| Izvorni ID preporuke: |
FEDORA-2011-11118 |
| Izvor: |
Fedora |
| |
| Problem: |
Propusti su posljedica toga što foomatic-rip filter koristi nesigurno stvorene privremene datoteke za pohranu PostScript podataka.
|
| Posljedica: |
Napadaču omogućuju prepisivanje proizvoljnih datoteka putem tzv. symlink napada.
|
| Rješenje: |
Korisnicima se preporuča instalacija odgovarajuće nadogradnje.
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-11118
2011-08-18 21:51:13
--------------------------------------------------------------------------------
Name : foomatic
Product : Fedora 16
Version : 4.0.8
Release : 4.fc16
URL : http://www.linuxprinting.org
Summary : Tools for using the foomatic database of printers and printer
drivers
Description :
Foomatic is a comprehensive, spooler-independent database of printers,
printer drivers, and driver descriptions. This package contains
utilities to generate driver description files and printer queues for
CUPS, LPD, LPRng, and PDQ using the database (packaged separately).
There is also the possibility to read the PJL options out of PJL-capable
laser printers and take them into account at the driver description
file generation.
There are spooler-independent command line interfaces to manipulate
queues (foomatic-configure) and to print files/manipulate jobs
(foomatic printjob).
The site http://www.linuxprinting.org/ is based on this database.
--------------------------------------------------------------------------------
Update Information:
This package fixes CVE-2011-2924 by using mktemp when creating a debug log file
in debug mode.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #726426 - CVE-2011-2923 CVE-2011-2924 foomatic: foomatic-rip (debug
mode) insecure temporary file use in renderer command line by processing
PostScript data
https://bugzilla.redhat.com/show_bug.cgi?id=726426
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update foomatic' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke