Freedom The Open Source Way Contribute Articles or News to OSForgeOSForge HomeLogout from Forums
Contacting OSForgeOSForge HomeAbout OSForge
  

Root
 Contribute News
 Learning Corner
 Linux Distributions
 Linux Common FAQ's
 Discussion Forums
Community Gallery
Links Directory
Search OSForge
Networking
 Industry Updates
 Linux & Open Source
 Opinions
 Press Release
 Programming
 Security
 Web Development
White Paper
Likewise Software Receives Ready for IBM Tivoli Validation
Plat'Home Unveils Final Results of “Will Linux Work?” Contest
Zenoss Announces Record Quarterly Customer Growth amid Struggling Economy
Latest Open-Xchange Server Edition Simplifies Integration, Easily Customizable
Cluster Resources Works With IBM to Provide Moab Hybrid Cluster on iDataPlex
Cluster Resources to Deomonstrate Moab Hybrid Cluster on Windows HPC Server 2008
Cluster Resources to Provide Moab Hybrid Cluster Solution on New Cray CX1(TM)
Plat'Home Unveils Winners of “Will Linux Work?” Contest
Zenoss Core Recognized as Best Open Source Network Monitoring Solution

View More

Conective Linux Security Announcement!
By : Ewdison Then [www] Find more article by Ewdison Then on Security
Thursday the 4th, October 2001 at 11:33 AM (EDT)
Send this Story to a Friend Readers TalkBack (0) - 319 Reads

Printer Friendly Page Printable format
Send this Story to a Friend Foward to Email

Groff is the GNU version of troff, a document processor that ships with most Unix systems. Among other functions, it formats system manual pages into human-readable form." A new release fixes an issue that caused groff to read untrusted commands from working directories, and modifies a command that was vulnerable to a format string attack.

--------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
--------------------------------------------------------------------------

PACKAGE?? : groff
SUMMARY?? : Multiple vulnerabilities in groff
DATE????? : 2001-10-02 16:36:00
ID??????? : CLA-2001:428
RELEVANT
RELEASES? : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0

-------------------------------------------------------------------------

DESCRIPTION
?Groff is the GNU version of troff, a document processor that ships
?with most Unix systems. Among other functions, it formats system
?manual pages into human-readable form.

?This release fixes two security problems:

?1. ISS X-Force released an advisory[1] about GNU Groff utilities
?reading untrusted commands from the current working directory.
?Unsuspecting users, including root, could be tricked into running
?arbitrary commands on the system.

?2. Zenith Parse discovered[2] that the pic command (which is used by
?the printer daemon and others) is vulnerable to a format string
?attack which makes it possible to circumvent groff's safe mode and
?execute commands which would otherwise be disabled.


SOLUTION
?All users should upgrade.


?REFERENCES
?1.? http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=137588
?2.? http://www.securityfocus.com/bid/3103


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0/i386/groff-1.17.2-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/groff-extras-1.17.2-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/groff-gxditview-1.17.2-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/groff-doc-1.17.2-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/groff-1.17.2-1U40_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/groff-1.17.2-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/groff-extras-1.17.2-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/groff-gxditview-1.17.2-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/groff-doc-1.17.2-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/groff-1.17.2-1U40_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/groff-1.17.2-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/groff-extras-1.17.2-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/groff-gxditview-1.17.2-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/groff-doc-1.17.2-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/groff-1.17.2-1U41_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/groff-1.17.2-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/groff-extras-1.17.2-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/groff-gxditview-1.17.2-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/groff-doc-1.17.2-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/groff-1.17.2-1U42_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/groff-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/groff-extras-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/groff-gxditview-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/groff-doc-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/groff-1.17.2-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/groff-1.17.2-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/groff-extras-1.17.2-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/groff-gxditview-1.17.2-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/groff-doc-1.17.2-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/groff-1.17.2-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/groff-1.17.2-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/groff-extras-1.17.2-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/groff-gxditview-1.17.2-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/groff-doc-1.17.2-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/groff-1.17.2-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/groff-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/groff-extras-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/groff-gxditview-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/groff-doc-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/groff-1.17.2-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/groff-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/groff-extras-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/groff-gxditview-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/groff-doc-1.17.2-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/groff-1.17.2-1U50_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
?Users of Conectiva Linux version 6.0 or higher may use apt to perform
?upgrades of RPM packages:
?- add the following line to /etc/apt/sources.list if it is not there yet
?? (you may also use linuxconf to do this):

?rpm [cncbr]? ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

?- run:???????????????? apt-get update
?- after that, execute: apt-get upgrade

?Detailed instructions reagarding the use of apt and upgrade examples
?can be found at? http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


-------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at? http://distro.conectiva.com.br/seguranca/politica/?idioma=en
-------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

?


  
Reader Rating from 1-5

 

Poor very 
1
2
3
4
5 		 very Excellent

Talkback

Post Your Talkback | View All Talkback (0 Posted)

 Currently there are no Talkback posted on "Conective Linux Security Announcement!", Click here to be the first to post a talkback.

 
Scroll Up

   About | Term of Use | Privacy | Contact us | Tell a Friend | Advertise  

 OSForge News RSS Feed