-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -------------------------------------------------------------------------- Turbolinux Security Advisory TLSA-2004-26 http://www.turbolinux.co.jp/security/ security-team@turbolinux.co.jp -------------------------------------------------------------------------- Original released date : 16 Sep 2004 Last revised : 16 Sep 2004 Package : cdrtools Summary : euid program More information : cdrtools is a collection of CD/DVD utilities. cdrecord, which is set-uid root, fails to drop the effective UID (of root -- euid=0) when it exec()s a program specified by the user via the $RSH environment variable. Impact : Allows local users to gain root privileges. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 10 F... - Turbolinux 10 Desktop Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Desktop, Turbolinux 10 F...] # zabom -u cdda2wav cdrtools cdrtools-devel mkisofs --------------------------------------------- Source Packages Size : MD5 cdrtools-2.0-9.src.rpm 2103029 be1b3126c773b8a07a6e078f2c425aa3 Binary Packages Size : MD5 cdrtools-2.0-9.i586.rpm 672260 4f04c73f06d9a1c524806a48c59795a4 cdrtools-devel-2.0-9.i586.rpm 496602 f0dc69e2525aef9be1b677ef32a5ea89 mkisofs-2.0-9.i586.rpm 478674 de3ae493f085d7e841d8336f61b66cf1 Source Packages Size : MD5 cdrtools-2.0-9.src.rpm 2103029 f28d29b94dc9517406a59fd8d934c7f9 Binary Packages Size : MD5 cdrtools-2.0-9.i586.rpm 671704 30173aba8f73337bf875fc095c855979 cdrtools-devel-2.0-9.i586.rpm 496706 3c6fdc57dbd94f28736fae3fa4f74853 mkisofs-2.0-9.i586.rpm 478790 0b0c20e1c5f84e670e211164fc8efe70 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/cdrtools-2.0-9.src.rpm 2103029 aa0d05ec9760f08ca21ba230e73112d9 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cdda2wav-2.0-9.i586.rpm 166032 ff43311dc4cb87048a59e6147c6105a5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cdrtools-2.0-9.i586.rpm 666550 5a77cc19f9cf1f58fa5dc51f04ceb18b ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cdrtools-devel-2.0-9.i586.rpm 497339 de65b8f21cdf636408cddc04f0f3ef1b ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/mkisofs-2.0-9.i586.rpm 479449 a4a719a4a593cff75eb62ec5a337f1a9 References: CVE [CAN-2004-0806] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0806 -------------------------------------------------------------------------- Revision History 16 Sep 2004 Initial release -------------------------------------------------------------------------- Copyright(C) 2004 Turbolinux, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBSHjYK0LzjOqIJMwRAh6sAJ9mJeQvyh7rEr0K67sstZGCxQaO4ACgrJwL TG7auX67FkGqHaCOwGefhFU= =cZCb -----END PGP SIGNATURE-----