Security Advisory Critical: tog-pegasus security update

Advisory: RHSA-2008:0002-7
Type: Security Advisory
Severity: Critical
Issued on: 2008-01-07
Last updated on: 2008-01-07
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20080002.xml
CVEs (cve.mitre.org): CVE-2008-0003

Details

Updated tog-pegasus packages that fix a security issue are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

The tog-pegasus packages provide OpenPegasus Web-Based Enterprise
Management (WBEM) services. WBEM is a platform and resource independent
DMTF standard that defines a common information model, and communication
protocol for monitoring and controlling resources.

During a security audit, a stack buffer overflow flaw was found in the PAM
authentication code in the OpenPegasus CIM management server. An
unauthenticated remote user could trigger this flaw and potentially execute
arbitrary code with root privileges. (CVE-2008-0003)

Note that the tog-pegasus packages are not installed by default on Red Hat
Enterprise Linux. The Red Hat Security Response Team believes that it would
be hard to remotely exploit this issue to execute arbitrary code, due to
the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5,
and the SELinux memory protection tests enabled by default on Red Hat
Enterprise Linux 5.

Users of tog-pegasus should upgrade to these updated packages, which
contain a backported patch to resolve this issue. After installing the
updated packages the tog-pegasus service should be restarted.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
IA-32:
tog-pegasus-devel-2.6.1-2.el5_1.1.i386.rpm
File outdated by:  RHBA-2008:0357		     100fa0e10106c1768159ae5757f6448e
 
x86_64:
tog-pegasus-devel-2.6.1-2.el5_1.1.i386.rpm
File outdated by:  RHBA-2008:0357		     100fa0e10106c1768159ae5757f6448e
tog-pegasus-devel-2.6.1-2.el5_1.1.x86_64.rpm
File outdated by:  RHBA-2008:0357		     48c73e91c17a6d3f97d90cfda77d658f
 
Red Hat Desktop (v. 4)
SRPMS:
tog-pegasus-2.5.1-5.el4_6.1.src.rpm
File outdated by:  RHBA-2008:0677		     132d547518cd081fcad30329589b87f0
 
IA-32:
tog-pegasus-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     09763486ff9184f6a108995bf8d22420
tog-pegasus-devel-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     a9b9a3122300a855fee899fce88abaee
tog-pegasus-test-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     bf30bb67313d2550db27796c6bf498f4
 
x86_64:
tog-pegasus-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     bc463c904ae89ee9e8826f011e6d446d
tog-pegasus-devel-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     185ff11b05986e3c56f9e9dd2395b392
tog-pegasus-test-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     0f232969a85bfe5a7e3227dd87576afa
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
tog-pegasus-2.6.1-2.el5_1.1.src.rpm
File outdated by:  RHBA-2008:0357		     f75ce0d36bd4cc31846f4b2b4ca80f44
 
IA-32:
tog-pegasus-2.6.1-2.el5_1.1.i386.rpm
File outdated by:  RHBA-2008:0357		     d89e33e18fc00dab9b200c94fa076635
tog-pegasus-devel-2.6.1-2.el5_1.1.i386.rpm
File outdated by:  RHBA-2008:0357		     100fa0e10106c1768159ae5757f6448e
 
IA-64:
tog-pegasus-2.6.1-2.el5_1.1.ia64.rpm
File outdated by:  RHBA-2008:0357		     cb37d450ea515c7ed4c44f0902e50873
tog-pegasus-devel-2.6.1-2.el5_1.1.ia64.rpm
File outdated by:  RHBA-2008:0357		     8ef9471a518a32b385c4cade686975a1
 
PPC:
tog-pegasus-2.6.1-2.el5_1.1.ppc.rpm
File outdated by:  RHBA-2008:0357		     79a0677507ac7d79365b2b6810af9304
tog-pegasus-2.6.1-2.el5_1.1.ppc64.rpm
File outdated by:  RHBA-2008:0357		     215f468228ca2774ed0f90cfaff674cb
tog-pegasus-devel-2.6.1-2.el5_1.1.ppc.rpm
File outdated by:  RHBA-2008:0357		     2a017751ae4c1e6cac160c3c01ce3c4e
tog-pegasus-devel-2.6.1-2.el5_1.1.ppc64.rpm
File outdated by:  RHBA-2008:0357		     37089d0ede62acc09a03e14c67e19454
 
s390x:
tog-pegasus-2.6.1-2.el5_1.1.s390.rpm
File outdated by:  RHBA-2008:0357		     a8a3c30271992d852a70a01091d86aa4
tog-pegasus-2.6.1-2.el5_1.1.s390x.rpm
File outdated by:  RHBA-2008:0357		     0e624078c42c1257c5a4edf4b7e1e04a
tog-pegasus-devel-2.6.1-2.el5_1.1.s390.rpm
File outdated by:  RHBA-2008:0357		     bc1f64eac98268f96582f606a37c8350
tog-pegasus-devel-2.6.1-2.el5_1.1.s390x.rpm
File outdated by:  RHBA-2008:0357		     d9b8a058413af55614031c8d9a849211
 
x86_64:
tog-pegasus-2.6.1-2.el5_1.1.i386.rpm
File outdated by:  RHBA-2008:0357		     d89e33e18fc00dab9b200c94fa076635
tog-pegasus-2.6.1-2.el5_1.1.x86_64.rpm
File outdated by:  RHBA-2008:0357		     5e6f9d57e16dff1d45599829f5ae7200
tog-pegasus-devel-2.6.1-2.el5_1.1.i386.rpm
File outdated by:  RHBA-2008:0357		     100fa0e10106c1768159ae5757f6448e
tog-pegasus-devel-2.6.1-2.el5_1.1.x86_64.rpm
File outdated by:  RHBA-2008:0357		     48c73e91c17a6d3f97d90cfda77d658f
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
tog-pegasus-2.5.1-5.el4_6.1.src.rpm
File outdated by:  RHBA-2008:0677		     132d547518cd081fcad30329589b87f0
 
IA-32:
tog-pegasus-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     09763486ff9184f6a108995bf8d22420
tog-pegasus-devel-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     a9b9a3122300a855fee899fce88abaee
tog-pegasus-test-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     bf30bb67313d2550db27796c6bf498f4
 
IA-64:
tog-pegasus-2.5.1-5.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0677		     6e223a470896d152e09bf2aa033e9e01
tog-pegasus-devel-2.5.1-5.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0677		     01651b63b0a223d9fbec61c3a3521326
tog-pegasus-test-2.5.1-5.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0677		     a257b6366d837f680288c072d89bdba5
 
PPC:
tog-pegasus-2.5.1-5.el4_6.1.ppc.rpm
File outdated by:  RHBA-2008:0677		     71c56d7a325e60038be4ec45af776531
tog-pegasus-devel-2.5.1-5.el4_6.1.ppc.rpm
File outdated by:  RHBA-2008:0677		     15dd8106d163b506519eaa8acaf09506
tog-pegasus-test-2.5.1-5.el4_6.1.ppc.rpm
File outdated by:  RHBA-2008:0677		     ad24141edb7acd38c23e751c0151c20d
 
s390:
tog-pegasus-2.5.1-5.el4_6.1.s390.rpm
File outdated by:  RHBA-2008:0677		     c583918eccb189e7be6ef96955cd3b97
tog-pegasus-devel-2.5.1-5.el4_6.1.s390.rpm
File outdated by:  RHBA-2008:0677		     a065d8cc3a009d63528570b38dc18bc6
tog-pegasus-test-2.5.1-5.el4_6.1.s390.rpm
File outdated by:  RHBA-2008:0677		     642dee85ee11ed90ac22af62fbaa71e7
 
s390x:
tog-pegasus-2.5.1-5.el4_6.1.s390x.rpm
File outdated by:  RHBA-2008:0677		     309e2471dd765bc185a44082c2314037
tog-pegasus-devel-2.5.1-5.el4_6.1.s390x.rpm
File outdated by:  RHBA-2008:0677		     a3f7f82ce9faa6d20379f3aa9bc6a72d
tog-pegasus-test-2.5.1-5.el4_6.1.s390x.rpm
File outdated by:  RHBA-2008:0677		     ae29311898cd716ed721d26213736910
 
x86_64:
tog-pegasus-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     bc463c904ae89ee9e8826f011e6d446d
tog-pegasus-devel-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     185ff11b05986e3c56f9e9dd2395b392
tog-pegasus-test-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     0f232969a85bfe5a7e3227dd87576afa
 
Red Hat Enterprise Linux AS (v. 4.5.z)
SRPMS:
tog-pegasus-2.5.1-2.el4_5.1.src.rpm     c65e3bd1cc12b868bbd15db188cf56ec
 
IA-32:
tog-pegasus-2.5.1-2.el4_5.1.i386.rpm     7e16cf4af73494a6e11c25e0e0a30274
tog-pegasus-devel-2.5.1-2.el4_5.1.i386.rpm     07907f01ce5e995d84cc8d7736ca642e
tog-pegasus-test-2.5.1-2.el4_5.1.i386.rpm     2a993206bfb6ae6a24fce3defc7214c7
 
IA-64:
tog-pegasus-2.5.1-2.el4_5.1.ia64.rpm     b9966d364787c7d3e339c5ad2e359e8e
tog-pegasus-devel-2.5.1-2.el4_5.1.ia64.rpm     8126e122a995fb00219336d6768cb5d4
tog-pegasus-test-2.5.1-2.el4_5.1.ia64.rpm     2f15f3e947cbe39d942fecc6b4126e92
 
PPC:
tog-pegasus-2.5.1-2.el4_5.1.ppc.rpm     7246e68be3bf7b8f0d270b31be52672c
tog-pegasus-devel-2.5.1-2.el4_5.1.ppc.rpm     db0dc1b6f1ce887ab2a70c6b3941a1c3
tog-pegasus-test-2.5.1-2.el4_5.1.ppc.rpm     9e114bce1594368d307aea6e94e10d5a
 
s390:
tog-pegasus-2.5.1-2.el4_5.1.s390.rpm     baf12377535dc2e41a24f07a874ca3df
tog-pegasus-devel-2.5.1-2.el4_5.1.s390.rpm     8643020458472f7f292a8d6ad2cc4adc
tog-pegasus-test-2.5.1-2.el4_5.1.s390.rpm     494d75a98e50ddb0c3bc3a3d87b94197
 
s390x:
tog-pegasus-2.5.1-2.el4_5.1.s390x.rpm     cdbdd840ad572b915b8298821a1b1c38
tog-pegasus-devel-2.5.1-2.el4_5.1.s390x.rpm     3ac441ca63da1f5fe6131a0f82e1c716
tog-pegasus-test-2.5.1-2.el4_5.1.s390x.rpm     2f85eb6c53d5c70140652a860c37ac85
 
x86_64:
tog-pegasus-2.5.1-2.el4_5.1.x86_64.rpm     9861e070e980223284085855d6154ec2
tog-pegasus-devel-2.5.1-2.el4_5.1.x86_64.rpm     c6fa14d90b8a420606353a87dee3e044
tog-pegasus-test-2.5.1-2.el4_5.1.x86_64.rpm     0094f64e6156e415f8e8267f6778614a
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
tog-pegasus-2.6.1-2.el5_1.1.src.rpm
File outdated by:  RHBA-2008:0357		     f75ce0d36bd4cc31846f4b2b4ca80f44
 
IA-32:
tog-pegasus-2.6.1-2.el5_1.1.i386.rpm
File outdated by:  RHBA-2008:0357		     d89e33e18fc00dab9b200c94fa076635
 
x86_64:
tog-pegasus-2.6.1-2.el5_1.1.i386.rpm
File outdated by:  RHBA-2008:0357		     d89e33e18fc00dab9b200c94fa076635
tog-pegasus-2.6.1-2.el5_1.1.x86_64.rpm
File outdated by:  RHBA-2008:0357		     5e6f9d57e16dff1d45599829f5ae7200
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
tog-pegasus-2.5.1-5.el4_6.1.src.rpm
File outdated by:  RHBA-2008:0677		     132d547518cd081fcad30329589b87f0
 
IA-32:
tog-pegasus-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     09763486ff9184f6a108995bf8d22420
tog-pegasus-devel-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     a9b9a3122300a855fee899fce88abaee
tog-pegasus-test-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     bf30bb67313d2550db27796c6bf498f4
 
IA-64:
tog-pegasus-2.5.1-5.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0677		     6e223a470896d152e09bf2aa033e9e01
tog-pegasus-devel-2.5.1-5.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0677		     01651b63b0a223d9fbec61c3a3521326
tog-pegasus-test-2.5.1-5.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0677		     a257b6366d837f680288c072d89bdba5
 
x86_64:
tog-pegasus-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     bc463c904ae89ee9e8826f011e6d446d
tog-pegasus-devel-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     185ff11b05986e3c56f9e9dd2395b392
tog-pegasus-test-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     0f232969a85bfe5a7e3227dd87576afa
 
Red Hat Enterprise Linux ES (v. 4.5.z)
SRPMS:
tog-pegasus-2.5.1-2.el4_5.1.src.rpm     c65e3bd1cc12b868bbd15db188cf56ec
 
IA-32:
tog-pegasus-2.5.1-2.el4_5.1.i386.rpm     7e16cf4af73494a6e11c25e0e0a30274
tog-pegasus-devel-2.5.1-2.el4_5.1.i386.rpm     07907f01ce5e995d84cc8d7736ca642e
tog-pegasus-test-2.5.1-2.el4_5.1.i386.rpm     2a993206bfb6ae6a24fce3defc7214c7
 
IA-64:
tog-pegasus-2.5.1-2.el4_5.1.ia64.rpm     b9966d364787c7d3e339c5ad2e359e8e
tog-pegasus-devel-2.5.1-2.el4_5.1.ia64.rpm     8126e122a995fb00219336d6768cb5d4
tog-pegasus-test-2.5.1-2.el4_5.1.ia64.rpm     2f15f3e947cbe39d942fecc6b4126e92
 
x86_64:
tog-pegasus-2.5.1-2.el4_5.1.x86_64.rpm     9861e070e980223284085855d6154ec2
tog-pegasus-devel-2.5.1-2.el4_5.1.x86_64.rpm     c6fa14d90b8a420606353a87dee3e044
tog-pegasus-test-2.5.1-2.el4_5.1.x86_64.rpm     0094f64e6156e415f8e8267f6778614a
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
tog-pegasus-2.5.1-5.el4_6.1.src.rpm
File outdated by:  RHBA-2008:0677		     132d547518cd081fcad30329589b87f0
 
IA-32:
tog-pegasus-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     09763486ff9184f6a108995bf8d22420
tog-pegasus-devel-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     a9b9a3122300a855fee899fce88abaee
tog-pegasus-test-2.5.1-5.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0677		     bf30bb67313d2550db27796c6bf498f4
 
IA-64:
tog-pegasus-2.5.1-5.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0677		     6e223a470896d152e09bf2aa033e9e01
tog-pegasus-devel-2.5.1-5.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0677		     01651b63b0a223d9fbec61c3a3521326
tog-pegasus-test-2.5.1-5.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0677		     a257b6366d837f680288c072d89bdba5
 
x86_64:
tog-pegasus-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     bc463c904ae89ee9e8826f011e6d446d
tog-pegasus-devel-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     185ff11b05986e3c56f9e9dd2395b392
tog-pegasus-test-2.5.1-5.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0677		     0f232969a85bfe5a7e3227dd87576afa
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

426578 - CVE-2008-0003 tog-pegasus pam authentication buffer overflow


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0003
http://www.redhat.com/security/updates/classification/#critical

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/