Conectiva alert: mc

Posted by dave on Mar 31, 2004 10:15 AM EDT
Mailing list
Mail this story
Print this story

Midnight Commander (MC) is a visual shell and a file manager for text consoles.

Hash: SHA1

- -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - --------------------------------------------------------------------------

PACKAGE : mc SUMMARY : Buffer overflow vulnerability DATE : 2004-03-31 15:03:00 ID : CLA-2004:833 RELEVANT RELEASES : 8, 9

- -------------------------------------------------------------------------

DESCRIPTION Midnight Commander (MC) is a visual shell and a file manager for text consoles. This update fixes a buffer overflow vulnerability[1] in the code that handles symlinks in the virtual filesystem module. An attacker could create a specially crafted archive (like a .tar.gz or a cpio file) containing symlinks that when opened by an mc user would trigger the execution of arbitrary code with its privileges. The Common Vulnerabilities and Exposures project ( has assigned the name CAN-2003-1023 to this issue[2].

SOLUTION All users of the mc package should upgrade. REFERENCES 1. 2.


ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades:

- run: apt-get update - after that, execute: apt-get upgrade

Detailed instructions regarding the use of apt and upgrade examples can be found at

- ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at Instructions on how to check the signatures of the RPM packages can be found at

- ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at

- ------------------------------------------------------------------------- Copyright (c) 2004 Conectiva Inc.

- ------------------------------------------------------------------------- subscribe: [] unsubscribe: [] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see

iD8DBQFAawgY42jd0JmAcZARAhCFAKCBwWmbCSxwr4olps6xfWoeyYsWCwCgg0fi j8XBi7W8ThR/khEnbKciptc= =Ar1F -----END PGP SIGNATURE-----


» Read more about: Story Type: Security; Groups: Conectiva

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.