Security Advisory semi security update

Advisory: RHSA-2004:344-04
Type: Security Advisory
Severity: Low
Issued on: 2004-08-18
Last updated on: 2004-08-18
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
OVAL: N/A
CVEs (cve.mitre.org): CVE-2004-0422

Details

Updated semi packages that fix vulnerabilities in flim temporary file
handling are now available.

The semi package includes a MIME library for GNU Emacs and XEmacs used by
the wl mail package.

Tatsuya Kinoshita discovered a vulnerability in flim, an emacs library
for working with Internet messages included in the semi package. Temporary
files were being created without taking adequate precautions, and therefore
a local user could potentially overwrite files with the privileges of the
user running emacs. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0422 to this issue.

Users of semi are advised to upgrade to these packages, which contain
a backported patch fixing this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)
SRPMS:
semi-1.14.3-8.72.EL.1.src.rpm     dfcfc66f790902402b72eedd3a806284
 
IA-32:
semi-1.14.3-8.72.EL.1.noarch.rpm     23c1b96f8d9fc3d3aefa21812adbd5a1
semi-xemacs-1.14.3-8.72.EL.1.noarch.rpm     2e5dc06d5aadf594ae7222706e230e0e
 
IA-64:
semi-1.14.3-8.72.EL.1.noarch.rpm     23c1b96f8d9fc3d3aefa21812adbd5a1
semi-xemacs-1.14.3-8.72.EL.1.noarch.rpm     2e5dc06d5aadf594ae7222706e230e0e
 
Red Hat Enterprise Linux ES (v. 2.1)
SRPMS:
semi-1.14.3-8.72.EL.1.src.rpm     dfcfc66f790902402b72eedd3a806284
 
IA-32:
semi-1.14.3-8.72.EL.1.noarch.rpm     23c1b96f8d9fc3d3aefa21812adbd5a1
semi-xemacs-1.14.3-8.72.EL.1.noarch.rpm     2e5dc06d5aadf594ae7222706e230e0e
 
Red Hat Enterprise Linux WS (v. 2.1)
SRPMS:
semi-1.14.3-8.72.EL.1.src.rpm     dfcfc66f790902402b72eedd3a806284
 
IA-32:
semi-1.14.3-8.72.EL.1.noarch.rpm     23c1b96f8d9fc3d3aefa21812adbd5a1
semi-xemacs-1.14.3-8.72.EL.1.noarch.rpm     2e5dc06d5aadf594ae7222706e230e0e
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
SRPMS:
semi-1.14.3-8.72.EL.1.src.rpm     dfcfc66f790902402b72eedd3a806284
 
IA-64:
semi-1.14.3-8.72.EL.1.noarch.rpm     23c1b96f8d9fc3d3aefa21812adbd5a1
semi-xemacs-1.14.3-8.72.EL.1.noarch.rpm     2e5dc06d5aadf594ae7222706e230e0e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

124396 - CAN-2004-0422 flim temporary file vulnerability affects semi packages


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0422
http://www.debian.org/security/2004/dsa-500

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/