[Tech] FW: [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer

Franco Vite franco.vite@tin.it
Mar 22 Ago 2000 12:28:20 CEST 

oi
-- 
ciao Franco

utonto GNU/Linux ... momentaneamente altrove

----------
> Da: Joe Shaw <joe@HELIXCODE.COM>
> Risposta: Joe Shaw <joe@HELIXCODE.COM>
> Data: Sun, 20 Aug 2000 03:08:33 -0400
> A: BUGTRAQ@SECURITYFOCUS.COM
> Oggetto: [Helix Beta] Helix Code Security Advisory - Helix GNOME Installer
> 
> HELIX CODE, INC.                                            SECURITY ADVISORY
> security@helixcode.com                                Issue Date: 20 Aug 2000
> 
> PACKAGES AFFECTED:
> Helix GNOME Installer, versions 0.1 through 0.5
> 
> SYNOPSIS:
> Vulnerabilities in the Helix GNOME Installer allow non-root users to exploit
> world-writable permissions on /tmp to damage a system's configuration files
> or install arbitrarily modified RPM packages.
> 
> DESCRIPTION:
> Temporary copies of the /etc/config.d/bashrc, /etc/config.d/csh.cshrc, and
> /etc/rc.d/rc.gui files on Caldera OpenLinux eDesktop 2.4 and /etc/rc.config
> on SuSE 6.3 and 6.4 are stored in the /tmp directory, modified, and moved back
> into their original locations. A mkdir of the right path by any user prior to
> root running the Helix GNOME Installer can result in a system's configuration
> files being lost.
> 
> Furthermore, a directory called /tmp/helix-install is used to download
> packages to be installed. If that directory was created by a malicious
> non-root
> user, arbitrarily placed packages could be installed onto the system.
> 
> SOLUTION:
> A new version of the Helix GNOME Installer (0.6) has been released. This new
> version fixes both vulnerabilities. The first is solved by making backups of
> the system files in the same directory from which they came, and doing the
> operation on these files in-place. The second is solved by moving the default
> download directory to /var/cache/helix-install, which is writable only by
> root.
> 
> AVAILABILITY:
> New versions of the Helix GNOME Installer are available immediately from
> Helix Code, Inc.
> 
> A list of supported systems can be found at
> http://www.helixcode.com/desktop/download.php3.
> 
> For supported i386 systems:
> http://spidermonkey.helixcode.com/installer-latest-intel.gz
> 
> For supported PPC systems:
> http://spidermonkey.helixcode.com/installer-latest-ppc.gz
> 
> For supported UltraSparc Solaris systems:
> http://spidermonkey.helixcode.com/installer-latest-solaris.Z
> 
> VERIFICATION:
> d6b369c223fd9e460581f92fba64d3b8  installer-latest-intel.gz
> 9223cae466e44a3627fc9be492a83c62  installer-latest-ppc.gz
> 61119233e77b4d5e2deb7989e79a1f0b  installer-latest-solaris.Z
> 
> Copyright (C) 2000 Helix Code, Inc.

Maggiori informazioni sulla lista flug-tech