-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 292-1 security@debian.org http://www.debian.org/security/ Martin Schulze April 22nd, 2003 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : mime-support Vulnerability : insecure temporary file creation Problem-Type : local Debian-specific: no Colin Phipps discovered several problems in mime-support, that contains support programs for the MIME control files 'mime.types' and 'mailcap'. When a temporary file is to be used it is created insecurely, allowing an attacker to overwrite arbitrary under the user id of the person executing run-mailcap, most probably root. Additionally the program did not properly escape shell escape characters when executing a command. This is unlikely to be exploitable, though. For the stable distribution (woody) these problems have been fixed in version 3.18-1.1. For the old stable distribution (potato) these problems have been fixed in version 3.9-1.1. For the unstable distribution (sid) these problems have been fixed in version 3.22-1. We recommend that you upgrade your mime-support packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - --------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.1.dsc Size/MD5 checksum: 473 45ec24d391fbccffe70612eee5117d12 http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.1.tar.gz Size/MD5 checksum: 91665 530e77c39a2ef192da2492af7b4ee493 Architecture independent components: http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.1_all.deb Size/MD5 checksum: 99118 0b86cad241365d36b376fdc2d5d6bb2e Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.1.dsc Size/MD5 checksum: 475 a4e5dfead5075aff505dea895dc15a44 http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.1.tar.gz Size/MD5 checksum: 72157 2c486737714c778928f354ccab4a01be Architecture independent components: http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.1_all.deb Size/MD5 checksum: 68520 4a2fb1fa53ef6c0b83e5416399a1b2ea These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+pVCuW5ql+IAeqTIRArfgAJ46rkMKgQTNtF88YdAGrViQGETFpQCgmzgK tIEgFzbTjRteYZfexIniT4E= =KD9g -----END PGP SIGNATURE-----
