Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: [Announce] security update for bzip2-1.0.3.i386.rpm
« previous next »
Pages: [1]   Go Down

[Announce] security update for bzip2-1.0.3.i386.rpm

  • 4 Replies
  • 1907 Views

gerald001

[Announce] security update for bzip2-1.0.3.i386.rpm
« on: May 10, 2005, 09:00:19 PM »
to the community,

Due to the security announcement at  http://www.securityfocus.com/bid/12954/discussion/
BZip2 CHMod File Permission Modification Race Condition Weakness

I packaged the new version of bzip2-1.0.3
bzip2-1.0.3-1.i386.rpm
bzip2-devel-1.0.3-1.i386.rpm
bzip2-libs-1.0.3-1.i386.rpm

the report from securityfocus itself
------------------------------------------------------------
bzip2 is reported prone to a security weakness, the issue is only present when an archive is extracted into a world or group writeable directory. It is reported that bzip2 employs non-atomic procedures to write a file and later change the permissions on the newly extracted file.

A local attacker may leverage this issue to modify file permissions of target files.

This weakness is reported to affect bzip2 version 1.0.2 and previous versions.
------------------------------------------------------------

after download the update can be performed with
Code: [Select]
rpm -Uvh packagename.rpm

regards and enjoy each beautiful day of life
Gerald

available at
http://schwarzecker.homelinux.net/index.php
left side menu downloads category BZIP2 folder BZIP2-1.0.3
Logged

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: [Announce] security update for bzip2-1.0.3.i386.rpm
« Reply #1 on: May 10, 2005, 09:30:15 PM »
Quote from: "gerald001"

Due to the security announcement at  http://www.securityfocus.com/bid/12954/discussion/
BZip2 CHMod File Permission Modification Race Condition Weakness

I packaged the new version of bzip2-1.0.3


Note that bzip2 is not used at all in the standard SME server. It may be used by some contribs (e.g. virus scanners) - if those contribs are well designed they won't be using world or group writable directories.
Logged

gerald001

Re: [Announce] security update for bzip2-1.0.3.i386.rpm
« Reply #2 on: May 10, 2005, 10:07:19 PM »
Quote from: "CharlieBrady"
Quote from: "gerald001"

Due to the security announcement at  http://www.securityfocus.com/bid/12954/discussion/
BZip2 CHMod File Permission Modification Race Condition Weakness

I packaged the new version of bzip2-1.0.3


Note that bzip2 is not used at all in the standard SME server. It may be used by some contribs (e.g. virus scanners) - if those contribs are well designed they won't be using world or group writable directories.


High Charlie,
thanks for your comment. I might be wrong but it looks like bzip2-1.0.2-11.i386.rpm will be included in SME Server Version 7.0 http://no.longer.valid/phpwiki/index.php/SME%20Server%207.0alpha11%20details
Logged

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: [Announce] security update for bzip2-1.0.3.i386.rpm
« Reply #3 on: May 11, 2005, 04:43:20 AM »
Quote from: "gerald001"

I might be wrong but it looks like bzip2-1.0.2-11.i386.rpm will be included in SME Server Version 7.0


Quite so - perhaps. If RedHat release an update then the updated version will be included in Version 7.0.

You don't say why you mention this.

If you are aware of any security vulnerabilities, or have any security concerns, you should of course mail them to security@contribs.org.
Logged

gerald001

Re: [Announce] security update for bzip2-1.0.3.i386.rpm
« Reply #4 on: May 11, 2005, 07:41:16 PM »
Quote from: "CharlieBrady"
Quote from: "gerald001"

I might be wrong but it looks like bzip2-1.0.2-11.i386.rpm will be included in SME Server Version 7.0


Quite so - perhaps. If RedHat release an update then the updated version will be included in Version 7.0.

You don't say why you mention this.

If you are aware of any security vulnerabilities, or have any security concerns, you should of course mail them to security@contribs.org.


High Charlie,
after thouroughful browsing I noticed that SME Server Version 6.0, 6.0.1, 6.5RC1, as well as the latest 7.0alpha11 isoimage have bzip2 in version 1.0.2 with different minor versions included. Reading by chance about this security warning I upgraded my bzip2 to version 1.0.3 which till now was not announced to be affected. But who knows what the future will bring ? So I mailed this the new bzip2...rpm together with that type of security annoucement to security@contribs.org as you proposed, thank you for your hint. My concern is a minor and the idea behind is to contribute to the community.

receive my kindest regards
Gerald

table which release of SME uses which version of bzip2
SME Version . . bzip2 version
6.0 . . . . . . . . . . bzip2-1.0.2-2.i386.rpm
6.0.1 . . . . . . . .  bzip2-1.0.2-2.i386.rpm
6.5RC1 . . . . . . bzip2-1.0.2-2.i386.rpm
7.0alpha11 . . . bzip2-1.0.2-11.i386.rpm


PS: securityfocus till now announces that the different vendors do not supply any patch
Workaround:
Avoid processing archives in world or group writeable directories.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue.[/list]
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: [Announce] security update for bzip2-1.0.3.i386.rpm