SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Midnight Commander Vendors:   GNU Midnight Commander Project
Midnight Commander Has Multiple Bugs That May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1009981
SecurityTracker URL:  http://securitytracker.com/id/1009981
CVE Reference:   CAN-2004-0226, CAN-2004-0231, CAN-2004-0232   (Links to External Site)
Updated:  May 14 2004
Original Entry Date:  Apr 30 2004
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in Midnight Commander. A local user may be able to obtain elevated privileges.

Debian and Mandrake reported multiple vulnerabilities in Midnight Commander. The flaws include several buffer overflows [CVE: CAN-2004-0226], a format string vulnerability [CVE: CAN-2004-0232], and a temporary file and directory creation vulnerability [CVE: CAN-2004-0231].

Jacub Jelinek is credited with discovering the flaws.
Impact:   A local user may be able to gain the privileges of the user running mc.
Solution:   The report indicates that these flaws have been fixed in the upstream version.

[Editor's note: From minor code review, it appears that at least some of these flaws may have corrected as many as two years ago in the upstream version.]
Vendor URL:  www.ibiblio.org/mc/ (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 30 2004 (Mandrake Issues Fix) Midnight Commander Has Multiple Bugs That May Let Local Users Gain Elevated Privileges   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Apr 30 2004 (Debian Issues Fix) Midnight Commander Has Multiple Bugs That May Let Local Users Gain Elevated Privileges   (joey@infodrom.org (Martin Schulze))
Debian has released a fix.
Apr 30 2004 (Red Hat Issues Fix for RH Linux) Midnight Commander Has Multiple Bugs That May Let Local Users Gain Elevated Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Linux 9.
May 4 2004 (Red Hat Issues Fix for Fedora) Midnight Commander Has Multiple Bugs That May Let Local Users Gain Elevated Privileges   (Jakub Jelinek <jakub@redhat.com>)
Red Hat has released a fix for Fedora.
May 14 2004 (SuSE Issues Fix) Midnight Commander Has Multiple Bugs That May Let Local Users Gain Elevated Privileges   (thomas@suse.de (Thomas Biege))
SuSE has released a fix.
May 17 2004 (Slackware Issues Fix) Midnight Commander Has Multiple Bugs That May Let Local Users Gain Elevated Privileges   (Slackware Security Team <security@slackware.com>)
Slackware has released a fix.
May 20 2004 (Red Hat Issues Fix for RH Enteprise Linux) Midnight Commander Has Multiple Bugs That May Let Local Users Gain Elevated Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.
May 26 2004 (Gentoo Issues Fix) Midnight Commander Has Multiple Bugs That May Let Local Users Gain Elevated Privileges   (Kurt Lieber <klieber@gentoo.org>)
Gentoo has released a fix.


 Source Message Contents
Date:  Thu, 29 Apr 2004 22:54:29 -0400
Subject:  Midnight Commander vulnerabilities


Mandrake reported multiple vulnerabilities in Midnight Commander.

The flaws include several buffer overflows (CAN-2004-0226), a format string vulnerability 
(CAN-2004-0232), and a temporary file and directory creation vulnerability (CAN-2004-0231).

Jacub Jelinek is credited with discovering the flaws.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC