[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PISA-05-JAN-00-001



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              .------------------------------------------------.
              |**** Project Independence Security Advisory ****|
              `-----------* ID: PISA-05-JAN-00-001 *-----------'
               Issued by: David Webster <cognition@bigfoot.com>

Issue Date: 05-Jan-2000

Overview: Potential security hole in all PISA/RHSA bug fixes 

Affected: potentially all those who installed previous bug fixes

References: See http://independence.seul.org/security/ for previous advisories	

                                  -=-=-==-=-=-

Detailed Problem Description:

	Project Independence has been suggesting to users that they install
	the updated files with the command 'rpm -Uvh <filename>', which causes
	the package shown in filename to be upgraded or installed. If the rpm
	contains more than one program (e.g. the usermode package refered to in
	PISA-05-JAN-00-000) then all the programs will be installed using with
	the -U option, even if they were not on the system before. In the case
	of hte usermode package, one of those programs is a SUID - 'userhelper'
	this introduces a suid file that possibly wasn't already on the 
	machine. 

Solution:
	
	Use 'rpm -Fvh <filename>' instead of -Uvh, as the -F (--freshen) only
	installs the update if an earlier version was already on the machine.

Project Independence Linux would like to apologise to it's users for this 
error, and would like to thank Don G. and Peter <peterw@usa.net> for bringing
this to our attention.

This security advisory, and all future ones should be signed by me,
David Webster (aka cognition), with key ID: 45 FA C2 83

Which is avaliable from: [http://www.cognite.net/pgp.html],
			 and most good pgp key servers.

An archive of these messages can be currently be found on:
http://independence.seul.org/security/

A process of automatic retrival is being worked on.

	.---------------------------------------------------.
	| And problems regarding this, or future advisories |
	| should be emailed to me: <cognition@bigfoot.com>  |
	`---------------------------------------------------'
-----BEGIN PGP SIGNATURE-----
Comment: David Webster (aka cogNiTioN) <http://www.cognite.net/>

iD8DBQE4c8a+DdLNO0X6woMRAu2KAJ0VrBYW69EedPh9uStMY6WeS088NgCdHf2Z
UvwuzSLhOAsQmz/pk8GAXvs=
=0Sf4
-----END PGP SIGNATURE-----