Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0722 -- Debian Security Advisory DSA 814-1
New lm-sensors packages fix insecure temporary file
19 September 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: lm-sensors
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
Linux variants
Impact: Overwrite Arbitrary Files
Access: Existing Account
CVE Names: CAN-2005-2672
Original Bulletin: http://www.debian.org/security/2005/dsa-814
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 814-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
September 15th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : lm-sensors
Vulnerability : insecure temporary file
Problem type : local
Debian-specific: no
CVE ID : CAN-2005-2672]
Debian Bug : 324193
Javier Fernández-Sanguino Peña discovered that a script of lm-sensors,
utilities to read temperature/voltage/fan sensors, creates a temporary
file with a predictable filename, leaving it vulnerable for a symlink
attack.
The old stable distribution (woody) is not affected by this problem.
For the stable distribution (sarge) this problem has been fixed in
version 2.9.1-1sarge2.
For the unstable distribution (sid) this problem has been fixed in
version 2.9.1-7.
We recommend that you upgrade your lm-sensors package.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2.dsc
Size/MD5 checksum: 1089 b29b66e67c0cdc230e00e5183724427a
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2.diff.gz
Size/MD5 checksum: 32896 551c338fbc31a17f7fd909c8c18f495e
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1.orig.tar.gz
Size/MD5 checksum: 870765 f5af615e39441d95471bdb72a3f01709
Architecture independent components:
http://security.debian.org/pool/updates/main/l/lm-sensors/kernel-patch-2.4-lm-sensors_2.9.1-1sarge2_all.deb
Size/MD5 checksum: 304604 9b936604bcb60dd90c26de965bc8ae7f
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-source_2.9.1-1sarge2_all.deb
Size/MD5 checksum: 956166 a4cc7cf62245912cca061249e7ff153e
Alpha architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_alpha.deb
Size/MD5 checksum: 107734 6672ce70e0a11a3db57b5cc5410a887f
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_alpha.deb
Size/MD5 checksum: 88004 07333a65127b12aaa3bb7593ca998fc8
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_alpha.deb
Size/MD5 checksum: 469638 2894c427fa1a171588ee25ec7944aeae
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_alpha.deb
Size/MD5 checksum: 60162 996e3f4caa6f99a509612ed9409538a1
AMD64 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_amd64.deb
Size/MD5 checksum: 99604 5a2ecb59416841693f291c18ffc36b9f
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_amd64.deb
Size/MD5 checksum: 86024 be04743cfbe7a3dba14522ce35807a46
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_amd64.deb
Size/MD5 checksum: 471644 de8c9584f1d5bc2a2fc4134ebb0a5958
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_amd64.deb
Size/MD5 checksum: 57960 7d2bcf38f644cc293814d9be97e7e462
ARM architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_arm.deb
Size/MD5 checksum: 95374 76afc070abfaca6877c53b3dc97e2efe
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_arm.deb
Size/MD5 checksum: 77598 688a884f1c1a3d9966863f9dd13e6378
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_arm.deb
Size/MD5 checksum: 466524 f60ec616c55ffecd7d32d9ce6701520b
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_arm.deb
Size/MD5 checksum: 56518 001487c8ebf59a64eca3c4b1ebd3a4fc
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 93822 18985e4483e7ba7f1ee4e08c31e77ee6
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 77704 c7360febfe8fb136d4edc7447c4a3787
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 471594 4bb236b1ad878a31115d7231f624d53b
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-386_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258638 9dab2f0c6ca40bb6b1fa648c72dea266
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-586tsc_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258646 27ec0369b7e5710cfa9b8a2f6dc7f976
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-686_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258638 7b59494c8c7e836392ec8d29832a37f7
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-686-smp_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 259220 1f84862f63d4b84ca52d3b0188eae27f
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-k6_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258658 f44895c10b0a2a66f9f8fc2fc1c08945
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-k7_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 258950 fc63b5a3190378d192810b865db159d7
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-k7-smp_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 259496 acbd3d286c9f83c33075207a32297bfe
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_i386.deb
Size/MD5 checksum: 56282 4aaa87fa8ec4a9c7a80cc5fa2a2a65c7
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_ia64.deb
Size/MD5 checksum: 110518 31b9a4a92124027fc290af68a33c9d72
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_ia64.deb
Size/MD5 checksum: 94704 1c7b33cb67d43b00bc5c560e010cba42
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_ia64.deb
Size/MD5 checksum: 487502 b2c2e822feccd91e2cf4e16b788ee8b2
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_ia64.deb
Size/MD5 checksum: 63894 6f5dd42f2e9bfe4e6f6dfc0d657c231c
HP Precision architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_hppa.deb
Size/MD5 checksum: 103444 b90312374564a949899f1fc5efe0afca
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_hppa.deb
Size/MD5 checksum: 88110 c2c6817f83c05784e7ae6dfb342c3f45
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_hppa.deb
Size/MD5 checksum: 470520 cff17a1708ab3698cbe576845758f040
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_hppa.deb
Size/MD5 checksum: 59432 2316f77020a58c9bbcb4680e39093872
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_m68k.deb
Size/MD5 checksum: 95016 2570abfafb354bf68ff57e294010d9bd
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_m68k.deb
Size/MD5 checksum: 82760 8575a48b3ae56c05aa33b1dec7b7e7d8
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_m68k.deb
Size/MD5 checksum: 457278 2b04efc7078bfcac49bae53de1fa37f4
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_m68k.deb
Size/MD5 checksum: 55334 acf8cedc0bc7b9fcce51bf4028346aa4
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_mips.deb
Size/MD5 checksum: 101340 65525f23eed1bb8bd56104db43613b64
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_mips.deb
Size/MD5 checksum: 80346 78e1796d19b2a450001b7db46fa00971
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_mips.deb
Size/MD5 checksum: 464976 77c81982d7dc7a6e3059e9b7bfe843ae
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_mips.deb
Size/MD5 checksum: 58392 fce20208178fcf5e8b34f037a89ebeb8
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_mipsel.deb
Size/MD5 checksum: 99308 561831d67a0b6c5a2c23ce19d63fd4e9
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_mipsel.deb
Size/MD5 checksum: 78318 bf864fc9cc93f35f74cb383916b93187
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_mipsel.deb
Size/MD5 checksum: 465612 90be081b2fe5d58208cdc22f922ace6a
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_mipsel.deb
Size/MD5 checksum: 58452 862e8a3b5f5bf5ab9a7e37f91828a96a
PowerPC architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_powerpc.deb
Size/MD5 checksum: 105926 1c01fa48983ca51785fb6cebcb1352e7
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_powerpc.deb
Size/MD5 checksum: 84122 362b899e12a413c46a1aa3bb80ae9564
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_powerpc.deb
Size/MD5 checksum: 476730 326fe3274869079637c4a425430d9cc9
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_powerpc.deb
Size/MD5 checksum: 59362 2be27fc39b66107b8bc28df51bfd929f
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_s390.deb
Size/MD5 checksum: 105122 aa913f7a24298b97954809094c966d13
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_s390.deb
Size/MD5 checksum: 86884 2c6ebcada8848923a727f21d348089bf
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_s390.deb
Size/MD5 checksum: 463706 d0d5e649c114bd891c9dd5a742b3dd7f
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_s390.deb
Size/MD5 checksum: 57970 fccda7621dfee8331517dc5f47587246
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_sparc.deb
Size/MD5 checksum: 100274 63098e8e9f4c3fab8147c04aa17d811c
http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_sparc.deb
Size/MD5 checksum: 80906 18db5ab878c2185c7a999f968b36e204
http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_sparc.deb
Size/MD5 checksum: 470238 3edce01e75344d0a8a3985c564060243
http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_sparc.deb
Size/MD5 checksum: 56654 c47257c9c9263f657a3e96f55b14c40b
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDKYEPW5ql+IAeqTIRAvkXAJsG3t7J+SurPWsgUlq3bgSvDTBr3gCgtCBV
zykdnzOaXU1T+P83Q3O0KLQ=
=z0Ex
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQy4gqih9+71yA2DNAQK04AP/Q16yi92rDf7rsoFI4kq3pM0qq9OOIkst
Tc2YdOTu3DBEjofIzon3LeO8KJzIuMdJZ20z0gp72zzmxHlbF4MiF487qbyWOud4
LAP+8aEpnSaSg6V2T8n93nvnjqpvp6U04A2AZUCzjJ7id1I9uBiyYQCC3aftVm/K
8ID6nBdbiXY=
=A/J+
-----END PGP SIGNATURE-----