[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Momonga-devel.en:00010] [im] im-141-11m, a security update



Hello, all.

im-141-11m is commited to the CVS repository
because a patch for the fix of im security hole has been released.

All changes are below:

  * Tue Oct 29 2002 HOSONO Hidetomo <h@xxxxxxxx>
  - (141-11m)
  - add a patch http://tats.iris.ne.jp/im/im-141+tats20021028.diff
    (from mew-dist@xxxxxxx and mew-int@xxxxxxx)
  - delete a patch http://tats.iris.ne.jp/im/im-141+tats20020413.diff
  - change the source URL
  - not include Source0
  - move a buildroot cleaning procedure to the install phase
  - adapt buildroot cleaning procedures for
    http://www.momonga-linux.org/docs/Specfile-Guidance/ja/tag.html#clean
  - correct the changelog spell miss, "Tatsuya Kinoshi" to "Tatsuya Kinoshita"
  - let this spec file use macros instead of rpm environment variables
  - change the string "/usr/local/lib/" to "/etc/"
    in comments of /etc/im/SiteConfig
  - add a definition of "bindir" in the install phase
  - change my name on the previous changelog entry,
    "Hidetomo Hosono" to "HOSONO Hidetomo" :D

--
HOSONO Hidetomo <URL:http://www.h12o.org/>

--- Begin Message ---
I discovered that IM141 (and previous versions) creates temporary
files insecurely.

(1) The impwagent program creates a temporary directory in an
insecure manner in /tmp using predictable directory names, so
it's possible to seize a permission of the temporary directory by
local access as another user.

(2) The immknmz program creates a temporary file in an insecure
manner in /tmp using a predictable filename, so an attacker with
local access can easily create and overwrite files as another
user.  (This vulnerability was already fixed by Koga Youichirou
in [mew-dist 18577] and IM141+tats20011108, but the `predictable
filename' issue was not fixed.)

These problems have been fixed in the unofficial patch,
IM141+tats20021028.  I recommend that you upgrade your IM
package.

  http://tats.iris.ne.jp/im/im-141+tats20021028.diff
  http://tats.iris.ne.jp/im/im-141.tar.gz

(IM (Internet Message) is user interface commands and backend
Perl libraries for E-mail and NetNews.  They are designed to be
used both from Mew version 1.x and on command line.)

P.S.

I'm going to maintain IM officially.  I obtained Kazu's consent.
I'll release IM142 in no distant future.

-- 
Tatsuya Kinoshita

--- End Message ---