SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Midnight Commander Vendors:   GNU Midnight Commander Project
(Fedora Issues Fix for MC) GNOME VFS Scripts May Let Users Execute Commands
SecurityTracker Alert ID:  1011137
SecurityTracker URL:  http://securitytracker.com/id/1011137
CVE Reference:   CVE-2004-0494   (Links to External Site)
Date:  Sep 2 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Some vulnerabilities were reported in several GNOME VFS extfs backend scripts. A remote user may be able to cause commands to be executed on the target system. Midnight Commander is affected.

Red Hat reported that a remote user can create a specially crafted URL that, when opened by a target user with gnome-vfs, will execute commands with the privileges of the target user.

Some of the extfs scripts shipped with gnome-vfs (and mc) do not properly validate user-supplied input.

Impact:   A remote user can cause commands to be executed.
Solution:   Fedora has released a fix for Midnight Commander (which is affected by the gnome-vfs vulnerability), available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

49f1c1f5234fc1d81dd3ffa821e04747 SRPMS/mc-4.6.0-17.fc1.src.rpm
78953790d5f583a77788ad4510cd1fe7 x86_64/mc-4.6.0-17.fc1.x86_64.rpm
1a5730f349b0505fac9cc78425402b8d x86_64/debug/mc-debuginfo-4.6.0-17.fc1.x86_64.rpm
a731762be96fb7a2e00f4c8229f1d8b7 i386/mc-4.6.0-17.fc1.i386.rpm
cbc9a3ba4897d0acc5a7589a8668476b i386/debug/mc-debuginfo-4.6.0-17.fc1.i386.rpm

Cause:   Input validation error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC1

Message History:   This archive entry is a follow-up to the message listed below.
Aug 4 2004 GNOME VFS Scripts May Let Users Execute Commands



 Source Message Contents

Subject:  [SECURITY] Fedora Core 1 Update: mc-4.6.0-17.fc1



--===============0622370207==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm"
Content-Disposition: inline


--uAKRQypu60I7Lcqm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-272
2004-09-01
---------------------------------------------------------------------

Product     : Fedora Core 1
Name        : mc
Version     : 4.6.0                     =20
Release     : 17.fc1                 =20
Summary     : User-friendly text console file manager and visual shell.
Description :
Midnight Commander is a visual shell much like a file manager, only
with many more features. It is a text mode application, but it also
includes mouse support if you are running GPM. Midnight Commander's
best features are its ability to FTP, view tar and zip files, and to
poke into RPMs for specific files.

---------------------------------------------------------------------
Update Information:

Security fix for http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D1279=
73.
CAN-2004-0494 extfs vfs vulnerability in mc
---------------------------------------------------------------------
* Sat Aug 21 2004 Jakub Jelinek <jakub@redhat.com> 4.6.0-17.fc1

- 3 more quoting omissions in a.in

* Sat Aug 21 2004 Jakub Jelinek <jakub@redhat.com> 4.6.0-17

- fix shell quoting in extfs perl scripts
  (Leonard den Ottolander, #127973, CAN-2004-0494)

* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

49f1c1f5234fc1d81dd3ffa821e04747  SRPMS/mc-4.6.0-17.fc1.src.rpm
78953790d5f583a77788ad4510cd1fe7  x86_64/mc-4.6.0-17.fc1.x86_64.rpm
1a5730f349b0505fac9cc78425402b8d  x86_64/debug/mc-debuginfo-4.6.0-17.fc1.x8=
6_64.rpm
a731762be96fb7a2e00f4c8229f1d8b7  i386/mc-4.6.0-17.fc1.i386.rpm
cbc9a3ba4897d0acc5a7589a8668476b  i386/debug/mc-debuginfo-4.6.0-17.fc1.i386=
.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------

--uAKRQypu60I7Lcqm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBNkA8oyjDosPEXAYRAhteAJ490a+ExDeh/ee57wmIRPcrKG1BRwCdHYjy
6pAYQQN8vBsrFu5BvG2vp2g=
=4QVm
-----END PGP SIGNATURE-----

--uAKRQypu60I7Lcqm--



--===============0622370207==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list

--===============0622370207==--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC