Linux News
The world is talking about GNU/Linux and Free/Open Source Software

Login

If you don't have an account yet, visit the registration page to sign up.

If you already have an account, you may login here:

Today's Big Story

Zed: A Next-Gen Rust-Based Open Source Code Editor With AI

LXer Features

Linux That's Small

Encryption, Trust, and the Hidden Dangers of Vendor-Controlled Data

My Linux Mint Tribute

How I Turned My Chromebook Into A "Mintbook"

Adventures With My New Chromebook

My Linux Laptop

Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

Publish it here.

DaniWeb Linux Community
An exciting professional discussion group about software development, php, shell scripting, networking, ruby, and more.

Latest Discussions

See Activation Cube feature on Fedora 41 KDE Spin in VENV

You don't need AI to know how this goes

Should be a SNL skit

Please add https to lxer.com

Anyone remember Distrotest.net? I found a new one!

Site Menu

Other News

- LWN.net
Their weekly coverage of Linux news is unmatched in this community.

- LinuxGizmos.com
Excellent news for embedded Linux.

- LinuxQuestions.org
Discussion forums for Linux users.

LinuxQuestions.org is a friendly and active Linux Community with forums, reviews, a hardware compatibility list, a wiki, tutorials, a download site, a podcast and more.

Debian alert: New trr19 packages fix local games exploit

Posted by dave on Jan 28, 2004 7:01 AM EDT
Mailing list

Mail this story
Print this story

"Steve Kemp discovered a problem in trr19, a type trainer application for GNU Emacs, which is written as a pair of setgid() binaries and wrapper programs which execute commands for GNU Emacs. However, the binaries don't drop privileges before executing a command, allowing an attacker to gain access to the local group games."

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 430-1                     [E-mail:security@debian.org]
http://www.debian.org/security/                             Martin Schulze
January 28th, 2004                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : trr19
Vulnerability  : missing privilege release
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-0047

Steve Kemp discovered a problem in trr19, a type trainer application
for GNU Emacs, which is written as a pair of setgid() binaries and
wrapper programs which execute commands for GNU Emacs.  However, the
binaries don't drop privileges before executing a command, allowing an
attacker to gain access to the local group games.

For the stable distribution (woody) this problem has been fixed in
version 1.0beta5-15woody1.  The mipsel binary will be added later.

For the unstable distribution (sid) this problem will fixed soon.

We recommend that you upgrade your trr19 package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1.dsc
      Size/MD5 checksum:      579 ef536f27bf538edc75bcc4a815f90cef
    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1.diff.gz
      Size/MD5 checksum:     6042 4715d96b763e25a08a9884108e5d5199
    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5.orig.tar.gz
      Size/MD5 checksum:    73636 72716b40338afe9e375c78738bb8a299

  Alpha architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_alpha.deb
      Size/MD5 checksum:    75648 857fdaaaed024174255c3feb7e917fc6

  ARM architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_arm.deb
      Size/MD5 checksum:    74618 bd883afc8db992aa1cb1308c832d58e8

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_i386.deb
      Size/MD5 checksum:    75032 daa5213df6e8ed2b0eddb865b5b3aed4

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_ia64.deb
      Size/MD5 checksum:    76514 3f77d3971bade37e405c0179743f6475

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_hppa.deb
      Size/MD5 checksum:    75304 f76e14612d1d899ffee59b4620e032f2

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_m68k.deb
      Size/MD5 checksum:    74984 5147a5fa1557f0f87b839c197f79cb1d

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_mips.deb
      Size/MD5 checksum:    74790 413cc56a3563299eae4cb05f3314d981

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_powerpc.deb
      Size/MD5 checksum:    74746 745ef750e98a4746e928833d724e005e

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_s390.deb
      Size/MD5 checksum:    75434 da8efd5d8c74b16f1d0873219ec4d193

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/t/trr19/trr19_1.0beta5-15woody1_sparc.deb
      Size/MD5 checksum:    78932 02ee65da931254b1bd10b6358013b222


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [E-mail:debian-security-announce@lists.debian.org]
Package info: 'apt-cache show ' and http://packages.debian.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAF9SaW5ql+IAeqTIRAo52AKCmoEaZzSBM5YF1cejg+Av8GqsaqACeOFUH
hJ0+vS0KhzoT8IafKpnd9NI=
=Vg7E
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [E-mail:debian-security-announce-request@lists.debian.org]
with a subject of "unsubscribe". Trouble? Contact [E-mail:listmaster@lists.debian.org]

Nav

» Read more about: Story Type: Security; Groups: Debian, GNU, HP, IBM, Intel, Sun

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.

Linux NewsThe world is talking about GNU/Linux and Free/Open Source Software