[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Momonga-devel.en:00010] [im] im-141-11m, a security update
- To: users.en@xxxxxxxxxxxxxxxxx, devel.en@xxxxxxxxxxxxxxxxx
- From: HOSONO Hidetomo <h@xxxxxxxx>
- Date: Tue, 29 Oct 2002 22:30:18 +0900 (JST)
im-141-11m is commited to the CVS repository
because a patch for the fix of im security hole has been released.
All changes are below:
* Tue Oct 29 2002 HOSONO Hidetomo <h@xxxxxxxx>
- add a patch http://tats.iris.ne.jp/im/im-141+tats20021028.diff
(from mew-dist@xxxxxxx and mew-int@xxxxxxx)
- delete a patch http://tats.iris.ne.jp/im/im-141+tats20020413.diff
- change the source URL
- not include Source0
- move a buildroot cleaning procedure to the install phase
- adapt buildroot cleaning procedures for
- correct the changelog spell miss, "Tatsuya Kinoshi" to "Tatsuya Kinoshita"
- let this spec file use macros instead of rpm environment variables
- change the string "/usr/local/lib/" to "/etc/"
in comments of /etc/im/SiteConfig
- add a definition of "bindir" in the install phase
- change my name on the previous changelog entry,
"Hidetomo Hosono" to "HOSONO Hidetomo" :D
HOSONO Hidetomo <URL:http://www.h12o.org/>
--- Begin Message ---
- To: mew-dist@xxxxxxx, mew-int@xxxxxxx
- From: Tatsuya Kinoshita <tats@xxxxxxxxxxxxxx>
- Date: Mon, 28 Oct 2002 22:46:02 +0900 (JST)
I discovered that IM141 (and previous versions) creates temporary
(1) The impwagent program creates a temporary directory in an
insecure manner in /tmp using predictable directory names, so
it's possible to seize a permission of the temporary directory by
local access as another user.
(2) The immknmz program creates a temporary file in an insecure
manner in /tmp using a predictable filename, so an attacker with
local access can easily create and overwrite files as another
user. (This vulnerability was already fixed by Koga Youichirou
in [mew-dist 18577] and IM141+tats20011108, but the `predictable
filename' issue was not fixed.)
These problems have been fixed in the unofficial patch,
IM141+tats20021028. I recommend that you upgrade your IM
(IM (Internet Message) is user interface commands and backend
Perl libraries for E-mail and NetNews. They are designed to be
used both from Mew version 1.x and on command line.)
I'm going to maintain IM officially. I obtained Kazu's consent.
I'll release IM142 in no distant future.
--- End Message ---