--------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated python packages fix predictable temporary file Advisory ID: RHSA-2002:202-25 Issue date: 2003-01-21 Updated on: 2003-01-21 Product: Red Hat Linux Keywords: symlink os.excvpe flaw:link Cross references: Obsoletes: CVE Names: CAN-2002-1119 --------------------------------------------------------------------- 1. Topic: An insecure use of a temporary file has been found in Python. This erratum provides updated Python packages. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 Red Hat Linux 7.0 - i386 Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 3. Problem description: Python is an interpreted, interactive, object-oriented programming language. Zack Weinberg discovered that os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names. This could allow local users to execute arbitrary code via a symlink attack. All users should upgrade to these errata packages which contain a patch to python 1.5.2 and are not vulnerable to this issue. Please note that for Red Hat Linux 7.3 we have updated the python2 packages from version 2.2 to version 2.2.2. Red Hat Linux 8.0 shipped a version of Python that already contained a fix for this issue and is therefore not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/python-1.5.2-42.62.src.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/python-1.5.2-42.62.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/python-devel-1.5.2-42.62.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/python-docs-1.5.2-42.62.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/python-tools-1.5.2-42.62.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/tkinter-1.5.2-42.62.i386.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/python-1.5.2-42.71.src.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/python-1.5.2-42.71.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/python-devel-1.5.2-42.71.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/python-docs-1.5.2-42.71.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/python-tools-1.5.2-42.71.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/tkinter-1.5.2-42.71.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/python-1.5.2-42.71.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/python-1.5.2-42.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/python-devel-1.5.2-42.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/python-docs-1.5.2-42.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/python-tools-1.5.2-42.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/tkinter-1.5.2-42.71.i386.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/python-1.5.2-42.72.src.rpm ftp://updates.redhat.com/7.2/en/os/SRPMS/python2-2.1.1-2.72.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/python-1.5.2-42.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/python-devel-1.5.2-42.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/python-docs-1.5.2-42.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/python-tools-1.5.2-42.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/tkinter-1.5.2-42.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/python2-2.1.1-2.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/python2-devel-2.1.1-2.72.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/python-1.5.2-42.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/python-devel-1.5.2-42.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/python-docs-1.5.2-42.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/python-tools-1.5.2-42.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/tkinter-1.5.2-42.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/python2-2.1.1-2.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/python2-devel-2.1.1-2.72.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/python-1.5.2-42.73.src.rpm ftp://updates.redhat.com/7.3/en/os/SRPMS/python2-2.2.2-3.7.3.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/python-1.5.2-42.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/python-devel-1.5.2-42.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/python-docs-1.5.2-42.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/python-tools-1.5.2-42.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/tkinter-1.5.2-42.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/python2-2.2.2-3.7.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/python2-devel-2.2.2-3.7.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/python2-docs-2.2.2-3.7.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/tkinter2-2.2.2-3.7.3.i386.rpm 6. Verification: MD5 sum Package Name -------------------------------------------------------------------------- ea2c7e1f03253f7abf020bd20501a9ed 6.2/en/os/SRPMS/python-1.5.2-42.62.src.rpm ae807f2515d48688feb63a7d1c36fd41 6.2/en/os/i386/python-1.5.2-42.62.i386.rpm 9e7ec6bea6aeac1f55d7268c17bd005e 6.2/en/os/i386/python-devel-1.5.2-42.62.i386.rpm 24989340e51d52302fed720a304da5fb 6.2/en/os/i386/python-docs-1.5.2-42.62.i386.rpm c32cfd08bd1b8c1485f9faf992ae4e47 6.2/en/os/i386/python-tools-1.5.2-42.62.i386.rpm 9e6ef79c21074cfd2ba6a9e8f82269fe 6.2/en/os/i386/tkinter-1.5.2-42.62.i386.rpm f284fbc3bffb9750628b854c66240884 7.0/en/os/SRPMS/python-1.5.2-42.71.src.rpm 67a8b9f482122c94e59be63fb35a6c09 7.0/en/os/i386/python-1.5.2-42.71.i386.rpm 6bb2441e4e774d4036e06470a37f2d05 7.0/en/os/i386/python-devel-1.5.2-42.71.i386.rpm 4bbbde224af5008bcde30363fc97146c 7.0/en/os/i386/python-docs-1.5.2-42.71.i386.rpm a2d3161c06c800c522da141baa5118b7 7.0/en/os/i386/python-tools-1.5.2-42.71.i386.rpm 55275a32efb84977fa93653fb9cbae2c 7.0/en/os/i386/tkinter-1.5.2-42.71.i386.rpm f284fbc3bffb9750628b854c66240884 7.1/en/os/SRPMS/python-1.5.2-42.71.src.rpm 67a8b9f482122c94e59be63fb35a6c09 7.1/en/os/i386/python-1.5.2-42.71.i386.rpm 6bb2441e4e774d4036e06470a37f2d05 7.1/en/os/i386/python-devel-1.5.2-42.71.i386.rpm 4bbbde224af5008bcde30363fc97146c 7.1/en/os/i386/python-docs-1.5.2-42.71.i386.rpm a2d3161c06c800c522da141baa5118b7 7.1/en/os/i386/python-tools-1.5.2-42.71.i386.rpm 55275a32efb84977fa93653fb9cbae2c 7.1/en/os/i386/tkinter-1.5.2-42.71.i386.rpm a47d3a73c49783e1cd5b83cbef60652f 7.2/en/os/SRPMS/python-1.5.2-42.72.src.rpm b4e68654b049c6af907f098afd29a4be 7.2/en/os/SRPMS/python2-2.1.1-2.72.src.rpm 389afc3097788a96b0835ebc46ac16d3 7.2/en/os/i386/python-1.5.2-42.72.i386.rpm a4fd8f4787c56603613e9f3e12d6aa27 7.2/en/os/i386/python-devel-1.5.2-42.72.i386.rpm 686d90f9f8462ebc2dc7f0c05bf1612e 7.2/en/os/i386/python-docs-1.5.2-42.72.i386.rpm ac3c101c4d388b2086412fa1ecae38c6 7.2/en/os/i386/python-tools-1.5.2-42.72.i386.rpm d1832d93442ddac585427b460b02c1c8 7.2/en/os/i386/python2-2.1.1-2.72.i386.rpm e1c3352394e1cd824e615742ca029298 7.2/en/os/i386/python2-devel-2.1.1-2.72.i386.rpm 9bee09c2165510ef87d5b1d6c5170760 7.2/en/os/i386/tkinter-1.5.2-42.72.i386.rpm a59c47d8d4d089f83b834105b9d22f69 7.2/en/os/ia64/python-1.5.2-42.72.ia64.rpm 1a2c0e209e264928d2f84154e182248d 7.2/en/os/ia64/python-devel-1.5.2-42.72.ia64.rpm 290383a0ec1a271e5f6a17b7bc821ed8 7.2/en/os/ia64/python-docs-1.5.2-42.72.ia64.rpm 694c91d88fbfd31a6408781431a5b7fe 7.2/en/os/ia64/python-tools-1.5.2-42.72.ia64.rpm c5e288bfb51f7cdb1fc7de5a0c900639 7.2/en/os/ia64/python2-2.1.1-2.72.ia64.rpm 729305369876da105810446e32a119bc 7.2/en/os/ia64/python2-devel-2.1.1-2.72.ia64.rpm 85ddf2fcb9679153dc179a3e41d76993 7.2/en/os/ia64/tkinter-1.5.2-42.72.ia64.rpm f2cf7600b4de21bcb7eaa2e73218cb7c 7.3/en/os/SRPMS/python-1.5.2-42.73.src.rpm 183717dbd2d209c4ab19162c21c41527 7.3/en/os/SRPMS/python2-2.2.2-3.7.3.src.rpm 3349177afa68f1bb3cdefacd2202edad 7.3/en/os/i386/python-1.5.2-42.73.i386.rpm 4d046510dd987f72e521f528d95db38b 7.3/en/os/i386/python-devel-1.5.2-42.73.i386.rpm ec0936c1821670d1ebb9639bc9f41d5f 7.3/en/os/i386/python-docs-1.5.2-42.73.i386.rpm b55c4b23cdf5779e244923e944ffdab0 7.3/en/os/i386/python-tools-1.5.2-42.73.i386.rpm cdd195d8cd81e8c6c42964b7efda4a53 7.3/en/os/i386/python2-2.2.2-3.7.3.i386.rpm 3804e8f39fe53ca69eb9b08e0847239e 7.3/en/os/i386/python2-devel-2.2.2-3.7.3.i386.rpm e15f24a15999724eb6aad307a3cda429 7.3/en/os/i386/python2-docs-2.2.2-3.7.3.i386.rpm 7e68369c396be300c8abb8334d4cae2d 7.3/en/os/i386/tkinter-1.5.2-42.73.i386.rpm c4fced6272839041ce9252d06079d43c 7.3/en/os/i386/tkinter2-2.2.2-3.7.3.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum <filename> 7. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=156556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119 8. Contact: The Red Hat security contact is <security@redhat.com>. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. _______________________________________________ Redhat-watch-list mailing list To unsubscribe, visit: https://listman.redhat.com/mailman/listinfo/redhat-watch-list