Red Hat Linux 7.1 Korean installation program creates files with bad umask

Advisory:	RHSA-2001:148-09
Type:	Security Advisory
Severity:	N/A
Issued on:	2001-11-02
Last updated on:	2001-11-13
Affected Products:	Red Hat Linux 7.1
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2001-0859

Details

Due to the kernel used in the Red Hat Linux 7.1 Korean installation
program, some files are written by the installation program with the wrong
permissions.

It is recommended that all users of the Red Hat Linux 7.1 Korean
installation program use the update disk image. If users have already
installed, they should check their systems and fix the permissions on the
affected files. They can do this by installing the updated redhat-release
package.

In the Red Hat Linux 7.1 Korean installation program, the 2.4.3-12 kernel
sets the default umask for init to 000. This behavior is inherited by the
installation program and causes the files to be written with world-writable
permissions.

Solution

If you have not installed:
--------------------------

Download the update disk image and create an update disk. This can be
done by using the same procedure used to create a boot diskette.

For more information, refer to

http://www.redhat.com/docs/manuals/linux/RHL-7.1-Manual/install-guide/s1-steps-install-cdrom.html#S2-STEPS-MAKE-DISKS

Please note that you must substitute the update disk image filename for the
filename used in the example.

When booting into the installation program, type "linux updates"
at the boot prompt, followed by any other installation options (such as
"expert" or "text" or "ks"). The installation process
will prompt you to insert the update disk when it is required, and the
installation will then proceed as normal.

If you have already installed:
------------------------------
Check the permissions on the affected files and change them as appropriate.
Or install the upgraded redhat-release; this will change the the
permissions during its postinstall phase.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Updated packages

Red Hat Linux 7.1

SRPMS:
ftp://updates.redhat.com/7.1/kr/os/SRPMS/redhat-release-7.1k-2.src.rpm Missing file	`bd970c23a54e0848ec3e1fb3857ac490`

IMGS:
ftp://updates.redhat.com/7.1/kr/os/images/i386/update-disk-20011106.img Missing file	`15e052916841514082fc7df588dc824e`

noarch:
ftp://updates.redhat.com/7.1/kr/os/noarch/redhat-release-7.1k-2.noarch.rpm Missing file	`dea117e94ffe362d6cefd443e308aad9`

Bugs fixed (see bugzilla for more information)

55569 - Some files in /etc have write permission to everyone in 7.1k

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0859

Keywords

7.1, Anaconda, installer, korean, umask

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/