Updated fileutils/coreutils package fix ls vulnerabilities

A

Admin

Guest
Security Advisory - RHSA-2003:309-08
------------------------------------------------------------------------------
Summary:
Updated fileutils/coreutils package fix ls vulnerabilities

Updated fileutils and coreutils packages that close a potential denial of
service vulnerability are now available.

Description:
The fileutils package contains several basic system utilities. One of
these utilities is the "ls" program, which is used to list information
about files and directories. In Red Hat Linux 9, the ls program is part of
the coreutils package.

Georgi Guninski discovered a memory starvation denial of service
vulnerability in the ls program. It is possible to make ls allocate a
huge amount of memory by specifying certain command line arguments. This
vulnerability is remotely exploitable through services like wu-ftpd, which
pass user arguments to ls. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0854 to this issue.

A non-exploitable integer overflow in ls has also been discovered. It is
possible to make ls crash by specifying certain command line arguments.
This vulnerability is remotely exploitable through services like wu-ftpd,
which pass user arguments to ls. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0853 to this issue.

This erratum contains new fileutils packages for Red Hat Linux versions
7.1, 7.2, 7.3, and 8.0. It also contains new coreutils packages for Red
Hat Linux 9. These packages contain backported patches correcting these
vulnerabilities.

The Red Hat Linux 7.2 and 7.3 packages also add support for the
O_DIRECT flag, which controls the use of synchronous I/O on file systems
such as OCFS.
------------------------------------------------------------------------------

-------------
Taking Action
-------------
You may address the issues outlined in this advisory in two ways:

- select your server name by clicking on its name from the list
available at the following location, and then schedule an
errata update for it:
https://rhn.redhat.com/network/systemlist/system_list.pxt

- run the Update Agent on each affected server.
 
Top