+++ This bug was initially created as a clone of Bug #145577 +++ Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a tmporary file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the program. Patch attached that will remove the use of this pid file. -- Additional comment from bressers on 2005-01-19 16:14 EST -- Created an attachment (id=109991) (Attachment 109991 [details]) Proposed patch for this issue. <<snip>>
On 2005-02-01, Red Hat issued RHSA-2005-069 for this issue: http://rhn.redhat.com/errata/RHSA-2005-069.html On 2005-02-15, Red Hat issued RHSA-2005-072 for this issue: http://rhn.redhat.com/errata/RHSA-2005-072.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA: 861e7b17a5c9f830fb6444ffc061bc8b34caacd8 7.3/perl-DBI-1.21-1.1.legacy.i386.rpm 4bc8000341291476c209653ee8f51125b2074d72 7.3/perl-DBI-1.21-1.1.legacy.src.rpm 0a456f49dbf0a48fcb8c11584067fa9e04a7f655 9/perl-DBI-1.32-5.1.legacy.i386.rpm 6de844ee989ff0ba939eb21137b1d912da16c43b 9/perl-DBI-1.32-5.1.legacy.src.rpm ba1769d36dbe33895455a03381afbd1cb1631f89 1/perl-DBI-1.37-1.1.legacy.i386.rpm 4ee3113def0de25f700a6b39c9f1069afe8bd7c5 1/perl-DBI-1.37-1.1.legacy.src.rpm 3b5267c54a9e08192fdabcf5b018c697b3a2f641 2/perl-DBI-1.40-4.1.legacy.i386.rpm cb4ad3208bbf3317278ca16025a59465c939fb44 2/perl-DBI-1.40-4.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/perl-DBI-1.21-1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/perl-DBI-1.32-5.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/perl-DBI-1.37-1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/perl-DBI-1.40-4.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFD98vpLMAs/0C4zNoRAnuHAJ0fuQxXLbwqYyPWSpWUeWGMD3EiMwCgoLp1 b6P2oX0H+8g6+kXubw+qa5s= =tKno -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare-.sh: - source integrity good - spec file changes minimal - patches verified to come from RHEL +PUBLISH RHL73, RHL9, FC1, FC2 4bc8000341291476c209653ee8f51125b2074d72 perl-DBI-1.21-1.1.legacy.src.rpm 6de844ee989ff0ba939eb21137b1d912da16c43b perl-DBI-1.32-5.1.legacy.src.rpm 4ee3113def0de25f700a6b39c9f1069afe8bd7c5 perl-DBI-1.37-1.1.legacy.src.rpm cb4ad3208bbf3317278ca16025a59465c939fb44 perl-DBI-1.40-4.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD+Cv3GHbTkzxSL7QRAi93AJ9gK8hE5NaLdgBAJfoH7BzR9rsHGwCfb8xV N+66LZ58CyR7wc0s52JEtlE= =S9+S -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the following packages: fc1: 50a02fd2d68f47d35f76bc690281253bbdf9a486 perl-DBI-1.37-1.1.legacy.i386.rpm fc2: 69a623c7db409341705bfc125b5fd6f0c056af7b perl-DBI-1.40-4.1.legacy.i386.rpm Packages installed fine. Performed QA using ikonboard 3.1.1 forums. MySQL database on fc4 box. Forum testing worked fine, was able to post, read and search successfully. +VERIFY fc1,fc2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFD/o3/pxMPKJzn2lIRAsu6AJ0TvW0/I3Rd38O7OGf6ARs4gWfPfgCguzWT OumdZ39XLxueEFhLSTAf9J4= =QWnF -----END PGP SIGNATURE-----
Thanks!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages tested: 3267a9d83ac3cadcfa650b1625cf5c458adb5540 perl-5.8.3-17.5.legacy.i386.rpm 50a02fd2d68f47d35f76bc690281253bbdf9a486 perl-DBI-1.37-1.1.legacy.i386.rpm - SHA1 checksums and GPG signatures verified. - Both packages installed cleanly. - Webmin ran fine after the update (I was able to log in, browse MySQL databases, etc.) +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD/04p+gerLs4ltQ4RAn+vAKC3igyTHtvW8Wo35L6bAh1V1neKjgCgpJRF Tx5iOTu8q8ic43G1Z466ZC0= =1+Cq -----END PGP SIGNATURE-----
Timeout over.
Packages were released.