Vulnerability Bulletins

int(1124)

Vulnerability Bulletins

Creación insegura de archivos temporales en lvm10
Vulnerability classification
Property	Value
Confidence level	Oficial
Impact	Integridad
Dificulty	Avanzado
Required attacker level	Acceso remoto con cuenta
System information
Property	Value
Affected manufacturer	GNU/Linux
Affected software	lvm10
Description
Se ha descubierto una vulnerabilidad en lvm10. La vulnerabilidad reside en el script lvmcreate_initrd que crea archivos temporales de una forma insegura. La explotación de esta vulnerabilidad podría permitir a un atacante local sobrescribir archivos del sistema mediante un ataque de enlace simbólico siempre que el script lvmcreate_initrd sea ejecutado por un usuario con suficientes privilegios.
Solution
Actualización de software Debian Linux Debian Linux 3.0 Source http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2.dsc http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2.diff.gz http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4.orig.tar.gz Alpha http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_alpha.deb ARM http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_arm.deb Intel IA-32 http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_i386.deb Intel IA-64 http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_ia64.deb HP Precision http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_m68k.deb Big endian MIPS http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_mips.deb Little endian MIPS http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_mipsel.deb PowerPC http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_powerpc.deb IBM S/390 http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_s390.deb Sun Sparc http://security.debian.org/pool/updates/main/l/lvm10/lvm10_1.0.4-5woody2_sparc.deb Mandrake Linux Mandrake Linux 9.2 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/lvm-1.0.7-2.1.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/SRPMS/lvm-1.0.7-2.1.92mdk.src.rpm Mandrake Linux 9.2/AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/lvm-1.0.7-2.1.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/SRPMS/lvm-1.0.7-2.1.92mdk.src.rpm Mandrake Linux 10.0 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/lvm1-1.0.8-3.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/lvm1-1.0.8-3.1.100mdk.src.rpm Mandrake Linux 10.0/AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/lvm1-1.0.8-3.1.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/lvm1-1.0.8-3.1.100mdk.src.rpm Mandrake Linux 10.1 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/lvm1-1.0.8-3.1.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/lvm1-1.0.8-3.1.101mdk.src.rpm Mandrake Linux 10.1/X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/lvm1-1.0.8-3.1.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/lvm1-1.0.8-3.1.101mdk.src.rpm Corporate Server 2.1 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/lvm-1.0.1-2.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/lvm-1.0.1-2.1.C21mdk.src.rpm Corporate Server 2.1/X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/lvm-1.0.1-2.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/lvm-1.0.1-2.1.C21mdk.src.rpm
Standar resources
Property	Value
CVE	CAN-2004-0972
BID
Other resources
Debian Security Advisory DSA 583-1 http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00192.html Mandrake Linux security advisory (MDKSA-2004:144) http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:144

Version history
Version	Comments	Date
1.0	Aviso emitido	2004-11-04
1.1	Aviso emitido por Mandrake Linux (MDKSA-2004:144)	2004-12-07

Vulnerability Bulletins

Creación insegura de archivos temporales en lvm10

Vulnerability classification

System information

Description

Solution

Standar resources

Other resources

Version history