Hosting Provided By

[RHSA-2002:202-25] Updated python packages fix predictable temporary file

From: <redhat-announce-list-admin(at)redhat.com>
Date: Tue Jan 21 2003 - 15:00:04 EST

                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated python packages fix predictable temporary file
Advisory ID:       RHSA-2002:202-25
Issue date:        2003-01-21
Updated on:        2003-01-21
Product:           Red Hat Linux
Keywords:          symlink os.excvpe flaw:link
Cross references:  
Obsoletes:         
CVE Names:         CAN-2002-1119

---------------------------------------------------------------------

Topic:

An insecure use of a temporary file has been found in Python. This erratum provides updated Python packages.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386

3. Problem description:

Python is an interpreted, interactive, object-oriented programming language.

Zack Weinberg discovered that os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names. This could allow local users to execute arbitrary code via a symlink attack.

All users should upgrade to these errata packages which contain a patch to python 1.5.2 and are not vulnerable to this issue. Please note that for Red Hat Linux 7.3 we have updated the python2 packages from version 2.2 to version 2.2.2. Red Hat Linux 8.0 shipped a version of Python that already contained a fix for this issue and is therefore not vulnerable to this issue.

4. Solution:

Do you need help?

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.

Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. RPMs required:

Do you need more help?

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/python-1.5.2-42.62.src.rpm

i386:

ftp://updates.redhat.com/6.2/en/os/i386/python-1.5.2-42.62.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/python-devel-1.5.2-42.62.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/python-docs-1.5.2-42.62.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/python-tools-1.5.2-42.62.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/tkinter-1.5.2-42.62.i386.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/python-1.5.2-42.71.src.rpm

i386:

ftp://updates.redhat.com/7.0/en/os/i386/python-1.5.2-42.71.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/python-devel-1.5.2-42.71.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/python-docs-1.5.2-42.71.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/python-tools-1.5.2-42.71.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/tkinter-1.5.2-42.71.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/python-1.5.2-42.71.src.rpm

Can we help you?

i386:

ftp://updates.redhat.com/7.1/en/os/i386/python-1.5.2-42.71.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/python-devel-1.5.2-42.71.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/python-docs-1.5.2-42.71.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/python-tools-1.5.2-42.71.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/tkinter-1.5.2-42.71.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/python-1.5.2-42.72.src.rpm ftp://updates.redhat.com/7.2/en/os/SRPMS/python2-2.1.1-2.72.src.rpm

i386:

ftp://updates.redhat.com/7.2/en/os/i386/python-1.5.2-42.72.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/python-devel-1.5.2-42.72.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/python-docs-1.5.2-42.72.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/python-tools-1.5.2-42.72.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/tkinter-1.5.2-42.72.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/python2-2.1.1-2.72.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/python2-devel-2.1.1-2.72.i386.rpm

ia64:

ftp://updates.redhat.com/7.2/en/os/ia64/python-1.5.2-42.72.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/python-devel-1.5.2-42.72.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/python-docs-1.5.2-42.72.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/python-tools-1.5.2-42.72.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/tkinter-1.5.2-42.72.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/python2-2.1.1-2.72.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/python2-devel-2.1.1-2.72.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/python-1.5.2-42.73.src.rpm ftp://updates.redhat.com/7.3/en/os/SRPMS/python2-2.2.2-3.7.3.src.rpm

i386:

ftp://updates.redhat.com/7.3/en/os/i386/python-1.5.2-42.73.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/python-devel-1.5.2-42.73.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/python-docs-1.5.2-42.73.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/python-tools-1.5.2-42.73.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/tkinter-1.5.2-42.73.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/python2-2.2.2-3.7.3.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/python2-devel-2.2.2-3.7.3.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/python2-docs-2.2.2-3.7.3.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/tkinter2-2.2.2-3.7.3.i386.rpm

Can't find what you're looking for?

6. Verification:

MD5 sum                          Package Name

--------------------------------------------------------------------------

ea2c7e1f03253f7abf020bd20501a9ed 6.2/en/os/SRPMS/python-1.5.2-42.62.src.rpm
ae807f2515d48688feb63a7d1c36fd41 6.2/en/os/i386/python-1.5.2-42.62.i386.rpm
9e7ec6bea6aeac1f55d7268c17bd005e 6.2/en/os/i386/python-devel-1.5.2-42.62.i386.rpm
24989340e51d52302fed720a304da5fb 6.2/en/os/i386/python-docs-1.5.2-42.62.i386.rpm
c32cfd08bd1b8c1485f9faf992ae4e47 6.2/en/os/i386/python-tools-1.5.2-42.62.i386.rpm
9e6ef79c21074cfd2ba6a9e8f82269fe 6.2/en/os/i386/tkinter-1.5.2-42.62.i386.rpm
f284fbc3bffb9750628b854c66240884 7.0/en/os/SRPMS/python-1.5.2-42.71.src.rpm
67a8b9f482122c94e59be63fb35a6c09 7.0/en/os/i386/python-1.5.2-42.71.i386.rpm
6bb2441e4e774d4036e06470a37f2d05 7.0/en/os/i386/python-devel-1.5.2-42.71.i386.rpm
4bbbde224af5008bcde30363fc97146c 7.0/en/os/i386/python-docs-1.5.2-42.71.i386.rpm
a2d3161c06c800c522da141baa5118b7 7.0/en/os/i386/python-tools-1.5.2-42.71.i386.rpm
55275a32efb84977fa93653fb9cbae2c 7.0/en/os/i386/tkinter-1.5.2-42.71.i386.rpm
f284fbc3bffb9750628b854c66240884 7.1/en/os/SRPMS/python-1.5.2-42.71.src.rpm
67a8b9f482122c94e59be63fb35a6c09 7.1/en/os/i386/python-1.5.2-42.71.i386.rpm
6bb2441e4e774d4036e06470a37f2d05 7.1/en/os/i386/python-devel-1.5.2-42.71.i386.rpm
4bbbde224af5008bcde30363fc97146c 7.1/en/os/i386/python-docs-1.5.2-42.71.i386.rpm
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related redhat.com Links
fedora-list
pump-list
redhat-announce-list
redhat-devel-list
redhat-install-list
redhat-list
redhat-watch-list
Request more information about Pantek
a2d3161c06c800c522da141baa5118b7 7.1/en/os/i386/python-tools-1.5.2-42.71.i386.rpm
55275a32efb84977fa93653fb9cbae2c 7.1/en/os/i386/tkinter-1.5.2-42.71.i386.rpm
a47d3a73c49783e1cd5b83cbef60652f 7.2/en/os/SRPMS/python-1.5.2-42.72.src.rpm
b4e68654b049c6af907f098afd29a4be 7.2/en/os/SRPMS/python2-2.1.1-2.72.src.rpm
389afc3097788a96b0835ebc46ac16d3 7.2/en/os/i386/python-1.5.2-42.72.i386.rpm
a4fd8f4787c56603613e9f3e12d6aa27 7.2/en/os/i386/python-devel-1.5.2-42.72.i386.rpm
686d90f9f8462ebc2dc7f0c05bf1612e 7.2/en/os/i386/python-docs-1.5.2-42.72.i386.rpm
ac3c101c4d388b2086412fa1ecae38c6 7.2/en/os/i386/python-tools-1.5.2-42.72.i386.rpm
d1832d93442ddac585427b460b02c1c8 7.2/en/os/i386/python2-2.1.1-2.72.i386.rpm
e1c3352394e1cd824e615742ca029298 7.2/en/os/i386/python2-devel-2.1.1-2.72.i386.rpm
9bee09c2165510ef87d5b1d6c5170760 7.2/en/os/i386/tkinter-1.5.2-42.72.i386.rpm
a59c47d8d4d089f83b834105b9d22f69 7.2/en/os/ia64/python-1.5.2-42.72.ia64.rpm
1a2c0e209e264928d2f84154e182248d 7.2/en/os/ia64/python-devel-1.5.2-42.72.ia64.rpm
290383a0ec1a271e5f6a17b7bc821ed8 7.2/en/os/ia64/python-docs-1.5.2-42.72.ia64.rpm
694c91d88fbfd31a6408781431a5b7fe 7.2/en/os/ia64/python-tools-1.5.2-42.72.ia64.rpm
c5e288bfb51f7cdb1fc7de5a0c900639 7.2/en/os/ia64/python2-2.1.1-2.72.ia64.rpm
729305369876da105810446e32a119bc 7.2/en/os/ia64/python2-devel-2.1.1-2.72.ia64.rpm
85ddf2fcb9679153dc179a3e41d76993 7.2/en/os/ia64/tkinter-1.5.2-42.72.ia64.rpm
f2cf7600b4de21bcb7eaa2e73218cb7c 7.3/en/os/SRPMS/python-1.5.2-42.73.src.rpm
183717dbd2d209c4ab19162c21c41527 7.3/en/os/SRPMS/python2-2.2.2-3.7.3.src.rpm
3349177afa68f1bb3cdefacd2202edad 7.3/en/os/i386/python-1.5.2-42.73.i386.rpm
4d046510dd987f72e521f528d95db38b 7.3/en/os/i386/python-devel-1.5.2-42.73.i386.rpm
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related redhat.com Links
fedora-list
pump-list
redhat-announce-list
redhat-devel-list
redhat-install-list
redhat-list
redhat-watch-list
Request more information about Pantek
ec0936c1821670d1ebb9639bc9f41d5f 7.3/en/os/i386/python-docs-1.5.2-42.73.i386.rpm
b55c4b23cdf5779e244923e944ffdab0 7.3/en/os/i386/python-tools-1.5.2-42.73.i386.rpm
cdd195d8cd81e8c6c42964b7efda4a53 7.3/en/os/i386/python2-2.2.2-3.7.3.i386.rpm
3804e8f39fe53ca69eb9b08e0847239e 7.3/en/os/i386/python2-devel-2.2.2-3.7.3.i386.rpm
e15f24a15999724eb6aad307a3cda429 7.3/en/os/i386/python2-docs-2.2.2-3.7.3.i386.rpm

7e68369c396be300c8abb8334d4cae2d 7.3/en/os/i386/tkinter-1.5.2-42.73.i386.rpm c4fced6272839041ce9252d06079d43c 7.3/en/os/i386/tkinter2-2.2.2-3.7.3.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:

md5sum <filename>

7. References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=156556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

8. Contact:

The Red Hat security contact is <security@redhat.com>. More contact details at http://www.redhat.com/solutions/security/news/contact.html

redhat-announce-list mailing list
redhat-announce-list@redhat.com
https://listman.redhat.com/mailman/listinfo/redhat-announce-list Received on Tue Jan 21 15:11:59 2003

This message: [ Message body ]
Next message: redhat-announce-list-admin(at)redhat.com: "[RHSA-2003:020-10] Updated kerberos packages fix vulnerability in ftp client"
Previous message: redhat-announce-list-admin(at)redhat.com: "[RHSA-2003:012-07] Updated CVS packages available"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:49:05 EDT