Skip to navigation

Security Advisory Updated SANE and XSane packages fix temporary file handling vulnerabilities

Advisory: RHSA-2001:171-11
Type: Security Advisory
Severity: N/A
Issued on: 2001-12-11
Last updated on: 2002-01-05
Affected Products: Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
CVEs (cve.mitre.org): CVE-2001-0887
CVE-2001-0890

Details

Updated SANE and XSane packages are available, which fix insecure handling
of temporary files.

XSane is an X-based interface providing access to scanners, digital
cameras, and other capture devices. When XSane creates temporary files, it
does so with predictable filenames in a manner that would follow symbolic
links. This could allow a local user to overwrite files written by the user
running XSane.

Additionally, the SANE library that XSane uses also has some similar
problems. When some SANE backend drivers created temporary files they
did so in a manner that would follow symbolic links. These packages
prevent that kind of attack. The default configuration had one of these
dangerous backends enabled. These packages update XSane to version 0.82 and
turn off the vulnerable backend in the default configuration.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2001-0887 and CAN-2001-0890 to these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 7.0

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/sane/1.0.3-2.1/SRPMS/sane-1.0.3-2.1.src.rpm
Missing file
    MD5: fdbbfefb66a01042d8c48a72ef3eba3a
ftp://updates.redhat.com/rhn/repository/NULL/xsane/0.82-2.1/SRPMS/xsane-0.82-2.1.src.rpm
Missing file
    MD5: ec39b14b76be7c20f409fc2e6ce3d9c4
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/sane/1.0.3-2.1/alpha/sane-1.0.3-2.1.alpha.rpm
Missing file
    MD5: df2ca46c55278455d5f78495b882bb15
ftp://updates.redhat.com/rhn/repository/NULL/sane-devel/1.0.3-2.1/alpha/sane-devel-1.0.3-2.1.alpha.rpm
Missing file
    MD5: 21f8eeca4d81b6000a2a8b50cad700be
ftp://updates.redhat.com/rhn/repository/NULL/xsane/0.82-2.1/alpha/xsane-0.82-2.1.alpha.rpm
Missing file
    MD5: 7a1f86435917c839dc687e5293b020c1
ftp://updates.redhat.com/rhn/repository/NULL/xsane-gimp/0.82-2.1/alpha/xsane-gimp-0.82-2.1.alpha.rpm
Missing file
    MD5: a5ab413d053b2ba2d156dfb719a38904
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/sane/1.0.3-2.1/i386/sane-1.0.3-2.1.i386.rpm
Missing file
    MD5: b81eab65537a7fe390ee8b88deea6d15
ftp://updates.redhat.com/rhn/repository/NULL/sane-devel/1.0.3-2.1/i386/sane-devel-1.0.3-2.1.i386.rpm
Missing file
    MD5: 808d906065ceed911c02eb0b857aaeab
ftp://updates.redhat.com/rhn/repository/NULL/xsane/0.82-2.1/i386/xsane-0.82-2.1.i386.rpm
Missing file
    MD5: 919a802b0329167f9c29ac1896c30d09
ftp://updates.redhat.com/rhn/repository/NULL/xsane-gimp/0.82-2.1/i386/xsane-gimp-0.82-2.1.i386.rpm
Missing file
    MD5: 4f845d419cd5bc9f2e139e8aedbb3a18
 
Red Hat Linux 7.1

SRPMS:
sane-1.0.3-10.1.src.rpm
File outdated by:  RHSA-2003:278
    MD5: 584f42e891f1df0af0596d40d20fa65f
ftp://updates.redhat.com/rhn/private/redhat-advanced-server-i386/SRPMS/xsane-0.82-3.1.src.rpm
Missing file
    MD5: 527cd923eb36d8b8d5f419f54a66d953
ftp://updates.redhat.com/rhn/public/2703533/xsane/0.82-3.1/SRPMS/xsane-0.82-3.1.src.rpm
Missing file
    MD5: 527cd923eb36d8b8d5f419f54a66d953
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/sane/1.0.3-10.1/alpha/sane-1.0.3-10.1.alpha.rpm
Missing file
    MD5: 1f907d411faa5d3ea405fced028b5ff8
ftp://updates.redhat.com/rhn/repository/NULL/sane-devel/1.0.3-10.1/alpha/sane-devel-1.0.3-10.1.alpha.rpm
Missing file
    MD5: fc7ec82bbd647b22e0731553d38794d7
ftp://updates.redhat.com/rhn/repository/NULL/xsane/0.82-3.1/alpha/xsane-0.82-3.1.alpha.rpm
Missing file
    MD5: b72e17c10b566b3e4095b282809dff79
ftp://updates.redhat.com/rhn/repository/NULL/xsane-gimp/0.82-3.1/alpha/xsane-gimp-0.82-3.1.alpha.rpm
Missing file
    MD5: f243f0d4d753565603ce4c1c82f81b5b
 
IA-32:
sane-1.0.3-10.1.i386.rpm
File outdated by:  RHSA-2003:278
    MD5: 86c42a3de7a925ff17f5aa6da4a4c76d
sane-devel-1.0.3-10.1.i386.rpm
File outdated by:  RHSA-2003:278
    MD5: dfc10654ff591bf2211f7fb506bea7a1
ftp://updates.redhat.com/rhn/private/redhat-advanced-server-i386/RPMS/xsane-0.82-3.1.i386.rpm
Missing file
    MD5: 9dd2a89ee8c0ded4769680290f4b7828
ftp://updates.redhat.com/rhn/private/redhat-advanced-server-i386/RPMS/xsane-gimp-0.82-3.1.i386.rpm
Missing file
    MD5: 99a63c47855a3c4cad9860c312be993b
 
IA-64:
ftp://updates.redhat.com/rhn/repository/NULL/sane/1.0.3-10.1/ia64/sane-1.0.3-10.1.ia64.rpm
Missing file
    MD5: 719fc4bbf8aa1640819089d429ebe48c
ftp://updates.redhat.com/rhn/repository/NULL/sane-devel/1.0.3-10.1/ia64/sane-devel-1.0.3-10.1.ia64.rpm
Missing file
    MD5: 22c25cb7e3236a7a63cf25665722130c
ftp://updates.redhat.com/rhn/private/redhat-linux-as-2.1-IPF/RPMS/xsane-0.82-3.1.ia64.rpm
Missing file
    MD5: 824592c070ae942f2abd524108e0fc77
ftp://updates.redhat.com/rhn/private/redhat-linux-as-2.1-IPF/RPMS/xsane-gimp-0.82-3.1.ia64.rpm
Missing file
    MD5: 54dc74b15186604a02e510e61b689f9c
 
Red Hat Linux 7.2

SRPMS:
sane-backends-1.0.5-4.1.src.rpm
File outdated by:  RHSA-2003:278
    MD5: 4a7a1354595100ddcc520781c9e97650
ftp://updates.redhat.com/rhn/private/redhat-advanced-server-i386/SRPMS/xsane-0.82-3.1.src.rpm
Missing file
    MD5: 527cd923eb36d8b8d5f419f54a66d953
ftp://updates.redhat.com/rhn/public/2703533/xsane/0.82-3.1/SRPMS/xsane-0.82-3.1.src.rpm
Missing file
    MD5: 527cd923eb36d8b8d5f419f54a66d953
 
IA-32:
sane-backends-1.0.5-4.1.i386.rpm
File outdated by:  RHSA-2003:278
    MD5: 114b7a531b01b7ab62dbde4bbd362b10
sane-backends-devel-1.0.5-4.1.i386.rpm
File outdated by:  RHSA-2003:278
    MD5: df5a788b98f6f40e71153b1308f30c95
ftp://updates.redhat.com/rhn/private/redhat-advanced-server-i386/RPMS/xsane-0.82-3.1.i386.rpm
Missing file
    MD5: 9dd2a89ee8c0ded4769680290f4b7828
ftp://updates.redhat.com/rhn/private/redhat-advanced-server-i386/RPMS/xsane-gimp-0.82-3.1.i386.rpm
Missing file
    MD5: 99a63c47855a3c4cad9860c312be993b
 
IA-64:
sane-backends-1.0.5-4.1.ia64.rpm
File outdated by:  RHSA-2003:278
    MD5: b6489cb169ed65147fbdba1061cf4fd9
sane-backends-devel-1.0.5-4.1.ia64.rpm
File outdated by:  RHSA-2003:278
    MD5: bcb40602e70cfda30ffa693e62dec13c
ftp://updates.redhat.com/rhn/private/redhat-linux-as-2.1-IPF/RPMS/xsane-0.82-3.1.ia64.rpm
Missing file
    MD5: 824592c070ae942f2abd524108e0fc77
ftp://updates.redhat.com/rhn/private/redhat-linux-as-2.1-IPF/RPMS/xsane-gimp-0.82-3.1.ia64.rpm
Missing file
    MD5: 54dc74b15186604a02e510e61b689f9c
 

References


Keywords

files, sane, temporary, xsane


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/