Executive Summary
Summary | |
---|---|
Title | New IM packages correct hidden architecture dependency |
Informations | |||
---|---|---|---|
Name | DSA-202 | First vendor Publication | 2002-12-03 |
Vendor | Debian | Last vendor Modification | 2002-12-06 |
Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 2.1 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Despite popular belief, the IM packages are not architecture independent, since the number of the fsync syscal is detected on build time and this number differs on Linux architectures and other operating systems. As a result of this the optional feature ``NoSync=no'' does only work on the architecture the package was built on. As usual, we are including the text of the original advisory DSA 202-1: Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely. 1. The impwagent program creates a temporary directory in an insecure manner in /tmp using predictable directory names without checking the return code of mkdir, so it's possible to seize a permission of the temporary directory by local access as another user. 2. The immknmz program creates a temporary file in an insecure manner in /tmp using a predictable filename, so an attacker with local access can easily create and overwrite files as another user. This problem has been fixed in version 141-18.2 for the current stable distribution (woody), in version 133-2.3 of the old stable distribution (potato). A correection is expected for the unstable distribution (sid) soon. We recommend that you upgrade your IM package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato |
Original Source
Url : http://www.debian.org/security/2002/dsa-202 |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2008-01-17 | Name : Debian Security Advisory DSA 202-1 (im) File : nvt/deb_202_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 202-2 (im) File : nvt/deb_202_2.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
14529 | Internet Message (IM) immknmz Symlink Arbitrary File Manipulation |
14528 | Internet Message (IM) Temp Directory Permission Weakness Arbitrary File Manip... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-202.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2003-038.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:29:19 |
|