Fedora Legacy Test Update Notification: cdrtools

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Feb 17 22:13:26 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-2058
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2058
2005-02-17
---------------------------------------------------------------------

Name        : cdrtools
Versions    : rh9: cdrtools-2.0-11.9.3.legacy
Summary     : A collection of CD/DVD utilities.
Description :
cdrtools is a collection of CD/DVD utilities.

---------------------------------------------------------------------
Update Information:

Updated cdrtools packages that fix a privilege escalation vulnerability
are now available.

Cdrtools is a collection of CD/DVD utilities.

Max Vozeler found that the cdrecord program, when is set suid root,
fails to drop privileges when it executes a program specified by the
user through the $RSH environment variable. This can be abused by a
local attacker to obtain root privileges. In the default configuration
of Red Hat Linux 9, the cdrecord program is not set suid root and this
attack is not possible. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0806 to this issue.

Users of cdrtools are advised to upgrade to these errata packages, which
contain a backported patch correcting this issue.

---------------------------------------------------------------------
Changelogs

rh9:
* Sat Feb 12 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
8:2.0-11.9.3.legacy
- added missing automake, libtool, libacl-devel and groff BuildRequires

* Fri Sep 10 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
8:2.0-11.9.2.legacy
- added rsh patch to fix CAN-2004-0806

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedoralegacy.org/
(sha1sums)

rh9:
6ec40cf0eb0853bbb2cfe36d17349aaed55e82fa 
redhat/9/updates-testing/i386/cdda2wav-2.0-11.9.3.legacy.i386.rpm
ca6510d1737dcc5d2a7491d4b908999bd4cf9003 
redhat/9/updates-testing/i386/cdrecord-2.0-11.9.3.legacy.i386.rpm
b524bf67a74450990cb95f249153c6e266acbf03 
redhat/9/updates-testing/i386/cdrecord-devel-2.0-11.9.3.legacy.i386.rpm
291b49e8ab22b2d1f27052504b41bd1cd25a7c24 
redhat/9/updates-testing/i386/mkisofs-2.0-11.9.3.legacy.i386.rpm
b138f4696e00faa674c141b8152337f87d6c01f6 
redhat/9/updates-testing/SRPMS/cdrtools-2.0-11.9.3.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050217/1d31e1bb/attachment.sig>

More information about the fedora-legacy-list mailing list