Operating System:

Published:

05 April 2004

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2004.0244 -- Debian Security Advisory DSA 472-1
                   New fte packages fix buffer overflows
                               05 April 2004

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                fte
Publisher:              Debian
Operating System:       Debian GNU/Linux 3.0
                        Linux
Impact:                 Root Compromise
Access Required:        Existing Account
CVE Names:              CAN-2003-0648

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 472-1                     security@debian.org
http://www.debian.org/security/                             Matt Zimmerman
April 3rd, 2004                         http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : fte
Vulnerability  : several
Problem-Type   : buffer overflows
Debian-specific: no
CVE Ids        : CAN-2003-0648
Debian bug     : #203871

Steve Kemp and Jaguar discovered a number of buffer overflow
vulnerabilities in vfte, a version of the fte editor which runs on the
Linux console, found in the package fte-console.  This program is
setuid root in order to perform certain types of low-level operations
on the console.

Due to these bugs, setuid privilege has been removed from vfte, making
it only usable by root.  We recommend using the terminal version (in
the fte-terminal package) instead, which runs on any capable terminal
including the Linux console.

For the stable distribution (woody) these problems have been fixed in
version 0.49.13-15woody1.

For the unstable distribution (sid) these problems have been fixed in
version 0.50.0-1.1.

We recommend that you update your fte package.

Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1.dsc
      Size/MD5 checksum:      609 4ce3f8d5ce68e70d8f5800171eb3b4b2
    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1.tar.gz
      Size/MD5 checksum:   559912 4e35205cf4256fbac041ba290e633f30

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_alpha.deb
      Size/MD5 checksum:    74102 83dedc8a780725dbe8073b081a653828
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_alpha.deb
      Size/MD5 checksum:   199602 ab0c0c86670e4f2f64651f52f7a0403a
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_alpha.deb
      Size/MD5 checksum:   122700 7be26dee16c2d2938b4f8273562c56b3
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_alpha.deb
      Size/MD5 checksum:   197942 5d6ee59128a9360e1c0dc62805c0e100
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_alpha.deb
      Size/MD5 checksum:   207180 b85e97f12de35cee17d68ede3e933ba2

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_arm.deb
      Size/MD5 checksum:    71608 5e8d77bf80748f3607a99301d111c507
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_arm.deb
      Size/MD5 checksum:   150768 22e3b88059d61140e81222a043bc0e55
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_arm.deb
      Size/MD5 checksum:   122718 e99955a854dbd95537b885921d2b20b5
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_arm.deb
      Size/MD5 checksum:   148560 022486dd73f78054855e55efe3a90b3b
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_arm.deb
      Size/MD5 checksum:   156664 86d50122eb5b823bcb30a1d37ba351c5

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_i386.deb
      Size/MD5 checksum:    71626 16729e271bb38948ae89ba3766dc8491
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_i386.deb
      Size/MD5 checksum:   141516 1645111f30e339cbed6ef4bb13cb803f
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_i386.deb
      Size/MD5 checksum:   124322 d8fd1efd66cd696a88c6e403bdff0d2b
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_i386.deb
      Size/MD5 checksum:   140162 ff1d2c613b40834b5f23411a61560ead
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_i386.deb
      Size/MD5 checksum:   146778 385b06d99a0150e187dd98e94e29fe36

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_ia64.deb
      Size/MD5 checksum:    78128 c6eb92920b98887390928b1655502b9d
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_ia64.deb
      Size/MD5 checksum:   264434 d2ac6731be692ba2498107ef5d9cc6bc
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_ia64.deb
      Size/MD5 checksum:   122696 9ae248e75e671bc03a2964e3b7bb2cae
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_ia64.deb
      Size/MD5 checksum:   261032 2e18827c056d7f99993db4d0bebfe4fb
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_ia64.deb
      Size/MD5 checksum:   273122 60b262caccd4290008e40cb149b8301e

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_hppa.deb
      Size/MD5 checksum:    73998 ac99b815a02e58311c53e1f8cb068c1c
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_hppa.deb
      Size/MD5 checksum:   207580 4ac741368c8ee3c9951c038a4eec914c
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_hppa.deb
      Size/MD5 checksum:   122706 d651c44366bda7660ad08b9c346c7a2e
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_hppa.deb
      Size/MD5 checksum:   205592 e52154184595ef322973d5f95772863c
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_hppa.deb
      Size/MD5 checksum:   214532 2e6bd1b6e35b6e5c84574495262698dc

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_m68k.deb
      Size/MD5 checksum:    70378 6655c66baab59b983f77f30ef3f16bb3
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_m68k.deb
      Size/MD5 checksum:   126710 f69dcd049d92ff4dac8494989c5cbede
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_m68k.deb
      Size/MD5 checksum:   122714 aadab6ad515ec1acfc39044cfc3d6c5b
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_m68k.deb
      Size/MD5 checksum:   125352 e6c5588ebd0808b3069ac09b1a8e7c7f
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_m68k.deb
      Size/MD5 checksum:   131720 2c15fec4f2e5234907a2e78f63f2cf8d

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_mips.deb
      Size/MD5 checksum:    71976 edf9be1182ff20fb63c34dd7bca5911d
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_mips.deb
      Size/MD5 checksum:   189068 a58b831e5b5dcce139df5243ab9cfab9
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_mips.deb
      Size/MD5 checksum:   122808 2a9de827c427cd7b44223096c1b6fa53
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_mips.deb
      Size/MD5 checksum:   186822 f68f2e7bc58495a3d7a87e449e14ea7f
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_mips.deb
      Size/MD5 checksum:   195160 47c26ca11949aad7dcbe5c7c1c6dff20

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_mipsel.deb
      Size/MD5 checksum:    71926 65757722fa2cb9df9e6139037bd7603b
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_mipsel.deb
      Size/MD5 checksum:   188276 8de060e1f996b7aa6847180430286c3b
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_mipsel.deb
      Size/MD5 checksum:   122690 f7f79c453c5b94f111a3aa73c17dc9c0
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_mipsel.deb
      Size/MD5 checksum:   186174 3c1cda10c450f4694a950bfb3d818876
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_mipsel.deb
      Size/MD5 checksum:   194628 b9bde5aa9ac546bc44dc7c3e73cc65a8

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_powerpc.deb
      Size/MD5 checksum:    72144 f2e256f4e7802a8c65f4f0159d27851a
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_powerpc.deb
      Size/MD5 checksum:   153434 f6b1ad3a7e77af9daac9114f00e62b7c
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_powerpc.deb
      Size/MD5 checksum:   122704 20fa2128e9d5d6456cfafe399d876d9e
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_powerpc.deb
      Size/MD5 checksum:   151558 716c7bcdefe356a338341c08fcf4ea59
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_powerpc.deb
      Size/MD5 checksum:   159448 2b7e59957df4ff0d66bf46b481c0de46

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_s390.deb
      Size/MD5 checksum:    70960 e9d119f457361dc983eab526ad826143
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_s390.deb
      Size/MD5 checksum:   149092 5012101938d0597fc421ac09c2b10c66
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_s390.deb
      Size/MD5 checksum:   122702 0a6176acf340fc75396c89d64e891675
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_s390.deb
      Size/MD5 checksum:   147520 8245176bfb3c5ffaa1aff525ddc9f50b
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_s390.deb
      Size/MD5 checksum:   155422 cca9f5f4fdafcb89bdee5afb117bf125

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fte/fte_0.49.13-15woody1_sparc.deb
      Size/MD5 checksum:    72158 26de448213afdbaf9dae2920448f7370
    http://security.debian.org/pool/updates/main/f/fte/fte-console_0.49.13-15woody1_sparc.deb
      Size/MD5 checksum:   142988 1612dd5fc622aeb1de19dbec8840e457
    http://security.debian.org/pool/updates/main/f/fte/fte-docs_0.49.13-15woody1_sparc.deb
      Size/MD5 checksum:   122710 1c3903d536725137443aa9680cd3500f
    http://security.debian.org/pool/updates/main/f/fte/fte-terminal_0.49.13-15woody1_sparc.deb
      Size/MD5 checksum:   141242 0c7d30f936f0f86e11beea711977fb77
    http://security.debian.org/pool/updates/main/f/fte/fte-xwindow_0.49.13-15woody1_sparc.deb
      Size/MD5 checksum:   149172 5723b04f45c2d3a8ed480c34a683af34

  These files will probably be moved into the stable distribution on
  its next revision.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAb5ohArxCt0PiXR4RAiFzAJ9fmHuMD68iw2eEYI2WTpY3u9ol3QCcC6xy
Y00d4Fd8MKjBCr8+c2oVeUs=
=nnVM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQHCliyh9+71yA2DNAQJtYwQAkzZndmJUol5AIrw5/ERlABKfmbTFYy7Z
ehwA2qf+K0f93ZH8AdPvzKc1HV778T17OTVLgkqpKhDaTU2j7kNqumjvLOaDFQHS
jk9+0Bzo0tP7QgCA2HIMDmCMDpClhuh4CjUIUuT0bpfDO9o70V6qnG6PuuMOGqg8
BLsL3hAtPcg=
=Fftp
-----END PGP SIGNATURE-----