Archive : 2000 : january : susemake - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku
SuSE Security Announcement





______________________________________________________________________________



                        SuSE Security Announcement

                        

        Package: make-3.77-44 and earlier

        Date:    Wed Feb  9 17:28:43 CET 2000

        

        Affected SuSE versions: 6.1, 6.3

        Vulnerability Type:     locale root compromise

        SuSE default package:   no

        Other affected systems: all linux systems using make

______________________________________________________________________________



A security hole was discovered in the package mentioned above.

Please update it as soon as possible or disable the service if you are using

this software on your SuSE Linux installation(s).



Other Linux distributions or operating systems might be affected as

well, please contact your vendor for information about this issue. 



Please note that we provide this information on an "as-is" basis only.

There is no warranty whatsoever and no liability for any direct, indirect or  

incidental damage arising from this information or the installation of

the update package.

_____________________________________________________________________________

        

1. Problem Description

        

  If GNU make is fed with Makefiles via stdin it creates temporary files

  in /tmp without checking for links.

        

2. Impact



  A malicous user could execute commands with the privileges of the user

  executing make.

  This security hole could lead to local root compromise if root passes

  Makefiles to make through stdin.



3. Solution



  Update the package from our FTP server.

______________________________________________________________________________



Please verify these md5 checksums of the updates before installing:   

(For SuSE 6.0, please use the 6.1 updates)



e387c78a7046a05d3948c85519904dc6

+<A TARGET=nonlocal HREF="/external/ftp://ftp.suse.com/pub/suse/axp/update/6.1/d1/make-3.78.1-4.
alpha.rpm">ftp://ftp.suse.com/pub/suse/axp/update/6.1/d1/make-3.78.1-4.alpha.
rpm</A>

fb82691700e3238ed938b41f2933a1f0

+<A TARGET=nonlocal HREF="/external/ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/make-3.78.1-5.
alpha.rpm">ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/make-3.78.1-5.alpha.
rpm</A>  

54e6b458a2e7ba096ad3b0743fef7073

+<A TARGET=nonlocal HREF="/external/ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/make-3.78.1-3.
i386.rpm">ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/make-3.78.1-3.i386.
rpm</A>

099cdc6529b36e085b239af1c0337faf

+<A TARGET=nonlocal HREF="/external/ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/make-3.78.1-2.
i386.rpm">ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/make-3.78.1-2.i386.
rpm</A>

e5eee118d92e61d4b17b3bef112760af

+<A TARGET=nonlocal HREF="/external/ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/make-3.78.1-2.
i386.rpm">ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/make-3.78.1-2.i386.
rpm</A>

______________________________________________________________________________

  

You can find updates on our ftp-Server:



  <A TARGET=nonlocal HREF="/external/ftp://ftp.suse.com/pub/suse/i386/update">ftp://ftp.suse.
com/pub/suse/i386/update</A> for Intel processors

  <A TARGET=nonlocal HREF="/external/ftp://ftp.suse.com/pub/suse/axp/update">ftp://ftp.suse.
com/pub/suse/axp/update</A>  for Alpha processors



or try the following web pages for a list of mirrors:

  <A TARGET=nonlocal HREF="/external/http://www.suse.de/ftp.html">http://www.suse.de/ftp.html</A>

  <A TARGET=nonlocal HREF="/external/http://www.suse.com/ftp_new.html">http://www.suse.com/ftp_new.htm

l</A>



Our webpage for patches:

  <A TARGET=nonlocal HREF="/external/http://www.suse.de/patches/index.html">http://www.suse.de/patches

/index.html</A>



Our webpage for security announcements:

  <A TARGET=nonlocal HREF="/external/http://www.suse.de/security">http://www.suse.de/security</A>   



If you want to report vulnerabilities, please contact

  <A HREF="mailto:security@suse.de">security@suse.de</A>

______________________________________________________________________________



SuSE has got two free security mailing list services to which any

interested party may subscribe:



<A HREF="mailto:suse-security@suse.com">suse-security@suse.com</A>          - moderated and for general/linux/SuSE

                                  security discussions. All SuSE security

                                  announcements are sent to this list.



<A HREF="mailto:suse-security-announce@suse.com">suse-security-announce@suse.
com</A> - SuSE's announce-only mailing list.

                                  Only SuSE's security annoucements are sent

                                  to this list.



To subscribe to the list, send a message to:

     <<A HREF="mailto:suse-security-subscribe@suse.com">suse-security-subscribe@suse.
com</A>>



To remove your address from the list, send a message to:

     <<A HREF="mailto:suse-security-unsubscribe@suse.com">suse-security-unsubscribe@suse.
com</A>>



Send mail to the following for info and FAQ for this list:

     <<A HREF="mailto:suse-security-info@suse.com">suse-security-info@suse.com</A>>

     <<A HREF="mailto:suse-security-faq@suse.com">suse-security-faq@suse.com</A>>



_____________________________________________________________________________



  This information is provided freely to everyone interested and may

  be redistributed provided that it is not altered in any way.

                                  

Type Bits/KeyID    Date       User ID

pub  2048/3D25D3D9 1999/03/06 SuSE Security Team <<A HREF="mailto:security@suse.de">security@suse.de</A>>



y