Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Midnight Commander Vendors:   GNU Midnight Commander Project
(Fedora Issues Fix for MC) GNOME VFS Scripts May Let Users Execute Commands
SecurityTracker Alert ID:  1011150
SecurityTracker URL:
CVE Reference:   CVE-2004-0494   (Links to External Site)
Date:  Sep 3 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Some vulnerabilities were reported in several GNOME VFS extfs backend scripts. A remote user may be able to cause commands to be executed on the target system. Midnight Commander is affected.

Red Hat reported that a remote user can create a specially crafted URL that, when opened by a target user with gnome-vfs, will execute commands with the privileges of the target user.

Some of the extfs scripts shipped with gnome-vfs (and mc) do not properly validate user-supplied input.

Impact:   A remote user can cause commands to be executed.
Solution:   Fedora has released a fix for mc, which is affected by the gnome-vfs vulnerability. The fix is available at:

aadb93bb8a2b047c79a4c5be7da28edb SRPMS/mc-4.6.0-17.fc2.src.rpm
2907d996d845c03dd9ff5cc0bcf1ec84 x86_64/mc-4.6.0-17.fc2.x86_64.rpm
10fa4d7b2d7e7abc48015d23004c903b x86_64/debug/mc-debuginfo-4.6.0-17.fc2.x86_64.rpm
5da38fc92a6d8f57148d57eab6f6f251 i386/mc-4.6.0-17.fc2.i386.rpm
11104e0480ab66addf52e4f30b9e9870 i386/debug/mc-debuginfo-4.6.0-17.fc2.i386.rpm

Cause:   Input validation error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC2

Message History:   This archive entry is a follow-up to the message listed below.
Aug 4 2004 GNOME VFS Scripts May Let Users Execute Commands

 Source Message Contents

Subject:  [SECURITY] Fedora Core 2 Update: mc-4.6.0-17.fc2

Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="DBIVS5p969aUjpLe"
Content-Disposition: inline

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Fedora Update Notification

Product     : Fedora Core 2
Name        : mc
Version     : 4.6.0                     =20
Release     : 17.fc2                 =20
Summary     : User-friendly text console file manager and visual shell.
Description :
Midnight Commander is a visual shell much like a file manager, only
with many more features. It is a text mode application, but it also
includes mouse support if you are running GPM. Midnight Commander's
best features are its ability to FTP, view tar and zip files, and to
poke into RPMs for specific files.

Update Information:

Security fix for
CAN-2004-0494 extfs vfs vulnerability in mc
* Sat Aug 21 2004 Jakub Jelinek <> 4.6.0-17.fc2

- 3 more quoting omissions in

* Sat Aug 21 2004 Jakub Jelinek <> 4.6.0-17

- fix shell quoting in extfs perl scripts
  (Leonard den Ottolander, #127973, CAN-2004-0494)

* Tue Jun 15 2004 Elliot Lee <>

- rebuilt

This update can be downloaded from:

aadb93bb8a2b047c79a4c5be7da28edb  SRPMS/mc-4.6.0-17.fc2.src.rpm
2907d996d845c03dd9ff5cc0bcf1ec84  x86_64/mc-4.6.0-17.fc2.x86_64.rpm
10fa4d7b2d7e7abc48015d23004c903b  x86_64/debug/mc-debuginfo-4.6.0-17.fc2.x8=
5da38fc92a6d8f57148d57eab6f6f251  i386/mc-4.6.0-17.fc2.i386.rpm
11104e0480ab66addf52e4f30b9e9870  i386/debug/mc-debuginfo-4.6.0-17.fc2.i386=

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (GNU/Linux)



Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

fedora-announce-list mailing list



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC