|
|
| Problem Description |
A severe security issue has been discovered in Smb4K. By linking a
simple text file FILE to /tmp/smb4k.tmp or /tmp/sudoers, an attacker
could get access to the full contents of the /etc/super.tab or
/etc/sudoers file, respectively, because Smb4K didn't check for the
existance of these files before writing any contents. When using super,
the attack also resulted in /etc/super.tab being a symlink to FILE.
Affected are all versions of the 0.4, 0.5, and 0.6 series of Smb4K.
The updated packages have been patched to correct this problem.
| Updated Packages |
Mandrakelinux 10.1
dd4471a3de6feb035637f15dd75d8d56 10.1/RPMS/smb4k-0.4.0-3.1.101mdk.i586.rpm d56d014b32bf1ec767fc018f0e40c245 10.1/SRPMS/smb4k-0.4.0-3.1.101mdk.src.rpm
Mandriva Linux LE2005
a1fd04d53c4c32d69f74bf17a255c250 10.2/RPMS/smb4k-0.5.1-1.1.102mdk.i586.rpm 30d1745f5dafea4c2d12c7b6a7c09526 10.2/SRPMS/smb4k-0.5.1-1.1.102mdk.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2851
http://smb4k.berlios.de
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.