int(2665)

Vulnerability Bulletins

Vulnerabilidad en lesstif

Vulnerability classification
Property Value
Confidence level Oficial
Impact Aumento de privilegios
Dificulty Principiante
Required attacker level Acceso remoto con cuenta

System information
Property Value
Affected manufacturer GNU/Linux
Affected software lesstif

Description
Se ha descubierto una vulnerabilidad en la librería libXm de LessTif. La vulnerabilidad reside en el manejo de la variable de entorno DEBUG_FILE.

La explotación de esta vulnerabilidad podría permitir a un atacante local crear archivos con permisos de escritura para todo el mundo en cualquier localización cuando libXm se ejecuta desde un programa setuid.

Solution


Actualización de software

Mandriva Linux

Mandriva Linux 2006.0
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/lesstif-0.93.94-4.2.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/lesstif-clients-0.93.94-4.2.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/lesstif-devel-0.93.94-4.2.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/lesstif-mwm-0.93.94-4.2.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/liblesstif1-0.93.94-4.2.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/liblesstif2-0.93.94-4.2.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/SRPMS/lesstif-0.93.94-4.2.20060mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lesstif-0.93.94-4.2.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lesstif-clients-0.93.94-4.2.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lesstif-devel-0.93.94-4.2.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lesstif-mwm-0.93.94-4.2.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64lesstif1-0.93.94-4.2.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/lib64lesstif2-0.93.94-4.2.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/liblesstif1-0.93.94-4.2.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/liblesstif2-0.93.94-4.2.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/SRPMS/lesstif-0.93.94-4.2.20060mdk.src.rpm

Corporate 3.0
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/lesstif-0.93.94-1.1.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/lesstif-clients-0.93.94-1.1.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/lesstif-devel-0.93.94-1.1.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/lesstif-mwm-0.93.94-1.1.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/lesstif-0.93.94-1.1.C30mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/lesstif-0.93.94-1.1.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/lesstif-clients-0.93.94-1.1.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/lesstif-devel-0.93.94-1.1.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/lesstif-mwm-0.93.94-1.1.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/lesstif-0.93.94-1.1.C30mdk.src.rpm

Standar resources
Property Value
CVE CVE-2006-4124
BID

Other resources
Mandriva Linux Security Advisory MDKSA-2006:154
http://archives.mandrivalinux.com/security-announce/2006-08/msg00022.php

Version history
Version Comments Date
1.0 Aviso emitido 2006-08-29
Ministerio de Defensa
CNI
CCN
CCN-CERT