7744059 2002-01-03 17:04 -0200 /130 rader/ <secure@conectiva.com.br> Sänt av: joel@lysator.liu.se Importerad: 2002-01-03 22:45 av Brevbäraren Extern mottagare: conectiva-updates@papaleguas.conectiva.com.br Extern mottagare: linsec@lists.seifried.org Extern mottagare: lwn@lwn.net Extern mottagare: bugtraq@securityfocus.com Extern mottagare: security-alerts@linuxsecurity.com Mottagare: Bugtraq (import) <20350> Ärende: [CLA-2002:448] Conectiva Linux Security Announcement - libgtop ------------------------------------------------------------ From: secure@conectiva.com.br To: conectiva-updates@papaleguas.conectiva.com.br, linsec@lists.seifried.org, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com Message-ID: <200201031904.RAA18050@frajuto.distro.conectiva> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : libgtop SUMMARY : libgtop vulnerabilities DATE : 2002-01-03 17:03:00 ID : CLA-2002:448 RELEVANT RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0 - ------------------------------------------------------------------------- DESCRIPTION LibGTop (from the Gnome project) is a library that fetches system related information such as CPU Load, Memory Usage and running processes. It includes a daemon (libgtop_daemon) which can be used to monitor processes remotely. There are two libgtop_daemon vulnerabilities addressed by this advisory: The first one[1] was found by the Laboratory intexxia and is related to a format string vulnerability in the libgtop_daemon logging mechanisms. The second[2] was found later[3] by Flavio Veloso when investigating the first and is a buffer overflow in the same part of the code. By exploiting any of the vulnerabilities an attacker would be able to execute arbitrary code with the privileges of the user libgtop_daemon is running as. Notice that libgtop_daemon is not invoked by default anywhere in Conectiva Linux, even if you're running Gnome as your desktop. SOLUTION All libgtop users should upgrade. Notice that if you're running libgtop_daemon, it must be restarted manually after the new packages get installed. REFERENCES: 1.http://www.securityfocus.com/archive/1/242542 2.http://www.securityfocus.com/bid/3594 3.http://www.securityfocus.com/archive/1/242922 DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/libgtop-1.0.13-U50_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/libgtop-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/libgtop-devel-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/libgtop-devel-static-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/libgtop-examples-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/libgtop-1.0.13-U51_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/libgtop-1.0.13-U51_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/libgtop-devel-1.0.13-U51_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/libgtop-devel-static-1.0.13-U51_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/libgtop-examples-1.0.13-U51_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/libgtop-1.0.13-U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libgtop-1.0.13-U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libgtop-devel-1.0.13-U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libgtop-devel-static-1.0.13-U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libgtop-examples-1.0.13-U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/libgtop-1.0.13-U70_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgtop-1.0.13-U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgtop-devel-1.0.13-U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgtop-devel-static-1.0.13-U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgtop-examples-1.0.13-U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/libgtop-1.0.13-U50_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/libgtop-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/libgtop-devel-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/libgtop-devel-static-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/libgtop-examples-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/libgtop-1.0.13-U50_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/libgtop-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/libgtop-devel-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/libgtop-devel-static-1.0.13-U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/libgtop-examples-1.0.13-U50_2cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8NKsf42jd0JmAcZARAk3AAJ9LdGate06r1wYr4IxQ6BGxaMu13QCg0838 jyQcvhBuJ1uhU92xksMZCts= =t6HB -----END PGP SIGNATURE----- (7744059) / <secure@conectiva.com.br>/----(Ombruten)