Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Debian DSA 279-1: metrics vulnerabilities

Debian DSA 279-1: metrics vulnerabilities

by Nikola Strahija on April 9th, 2003 Several vulnerabilities have been found in the metrics package which, if exploited, could allow local attacker to overwrite files owned by the user running the scripts.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 279-1 [email protected]
http://www.debian.org/security/ Martin Schulze
April 7th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : metrics
Vulnerability : insecure temporary file creation
Problem-Type : local
Debian-specific: no
CVE Id : CAN-2003-0202

Paul Szabo and Matt Zimmerman discoverd two similar problems in
metrics, a tools for software metrics. Two scripts in this package,
"halstead" and "gather_stats", open temporary files without taking
appropriate security precautions. "halstead" is installed as a user
program, while "gather_stats" is only used in an auxiliary script
included in the source code. These vulnerabilities could allow a
local attacker to overwrite files owned by the user running the
scripts, including root.

The stable distribution (woody) is not affected since it doesn't
contain a metrics package anymore.

For the old stable distribution (potato) this problem has been fixed
in version 1.0-1.1.

The unstable distribution (sid) is not affected since it doesn't
contain a metrics package anymore.

We recommend that you upgrade your metrics package.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

Source archives:

http://security.debian.org/pool/updates/main/m/metrics/metrics_1.0-1.1.dsc
Size/MD5 checksum: 527 8e0a5e5a4897f6748669dcbcf98c5502
http://security.debian.org/pool/updates/main/m/metrics/metrics_1.0-1.1.diff.gz
Size/MD5 checksum: 5171 b22998c91bbf809a44097f4fd6b5c83e
http://security.debian.org/pool/updates/main/m/metrics/metrics_1.0.orig.tar.gz
Size/MD5 checksum: 77716 b5c03baa70c6826b27dcababe81f4259

Alpha architecture:

http://security.debian.org/pool/updates/main/m/metrics/metrics_1.0-1.1_alpha.deb
Size/MD5 checksum: 50216 3599a7ae7e2fe985970766e3b1143a52

ARM architecture:

http://security.debian.org/pool/updates/main/m/metrics/metrics_1.0-1.1_arm.deb
Size/MD5 checksum: 44056 ea4b7cebada6b730acabe45b568b2eda

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/m/metrics/metrics_1.0-1.1_i386.deb
Size/MD5 checksum: 42942 a9d3846fae94cc5b805b8ed8ec4ee514

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/m/metrics/metrics_1.0-1.1_m68k.deb
Size/MD5 checksum: 41778 4eb48f051e430fb72884d1212a9ad415

PowerPC architecture:

http://security.debian.org/pool/updates/main/m/metrics/metrics_1.0-1.1_powerpc.deb
Size/MD5 checksum: 44054 6a24a7813b1707ad1176b636e9b1db0b

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/m/metrics/metrics_1.0-1.1_sparc.deb
Size/MD5 checksum: 51932 4252be7738d1a6eb4a3333d86e386d5a


- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show ' and http://packages.debian.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)


iD8DBQE+kTgsW5ql+IAeqTIRAibOAJwM9XMonih2oGlF7+iRBFmwXVgP6ACeMAl1
GwCz7H+zjp18TDRbWoqbywM=
=sbyr
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »