COMMAND

    makewhatis

SYSTEMS AFFECTED

    Linux

PROBLEM

    Following is based  on a ISS   Security Advisory.   The makewhatis
    portion  of  the  man  package  used  files in /tmp in an insecure
    fashion.   It  was  possible  for  local  users  to  exploit  this
    vulnerability to  modify files  that they  normally could  not and
    gain elevated privilege.

    This vulnerability has been found  in versions 1.5e and higher  of
    the  "man"  utility  package.   The  makewhatis program builds the
    whatis database for  use with the  "whatis", "apropos", and  "man"
    programs to  find online  documentation. It  is typically  invoked
    with root privileges  and is scheduled  to run periodically  (as a
    cron job).

    A working copy of the database  is created as a temporary file  in
    the world-writable /tmp  directory.  The  temporary file is  named
    /tmp/whatis$$, where  $$ is  the Process  ID (PID)  of the running
    makewhatis process.  The program does not perform sufficient tests
    to ensure that  the file it  is about to  create does not  already
    exist.  Due to the  predictability of process IDs and  the limited
    scope of a  PID integer (0-65535),  an attacker could  exploit the
    race condition using symbolic links.

    The problem is greater on Linux systems that ship with  makewhatis
    scheduled to run at a specified time. In these cases, the attacker
    knows when makewhatis will be run.

    This vulnerability was discovered and researched by Aaron Campbell
    and Allen Wilson of the ISS X-Force.

SOLUTION

    RPMs required for Red Hat:

      Red Hat Linux 5.2:
        ftp://updates.redhat.com/5.2/i386/man-1.5h1-2.5.x.i386.rpm
        ftp://updates.redhat.com/5.2/alpha/man-1.5h1-2.5.x.alpha.rpm
        ftp://updates.redhat.com/5.2/sparc/man-1.5h1-2.5.x.sparc.rpm
        ftp://updates.redhat.com/5.2/SRPMS/man-1.5h1-2.5.x.src.rpm

      Red Hat Linux 6.2:
        ftp://updates.redhat.com/6.2/alpha/man-1.5h1-2.6.x.alpha.rpm
        ftp://updates.redhat.com/6.2/i386/man-1.5h1-2.6.x.i386.rpm
        ftp://updates.redhat.com/6.2/sparc/man-1.5h1-2.6.x.sparc.rpm
        ftp://updates.redhat.com/6.2/SRPMS/man-1.5h1-2.6.x.src.rpm

    For Caldera Systems:

        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/man-1.5f-6.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/man-1.5f-6.src.rpm
        ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/man-1.5f-6.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS/man-1.5f-6.src.rpm
        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/man-1.5g-2.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS/man-1.5g-2.src.rpm

    TSL released new man packages fixing the hole in makewhatis.   All
    users of  TSL, 1.0x  and 1.1,  are encouraged  to upgrade  to this
    version of the man package:

        http://www.trustix.net/download/Trustix/updates/1.1/RPMS/man-1.5g-11tr.i586.rpm
        ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/man-1.5g-11tr.i586.rpm

        http://www.trustix.net/download/Trustix/updates/1.1/SRPMS/man-1.5g-11tr.src.rpm
        ftp://ftp.trustix.com/pub/Trustix/updates/1.1/SRPMS/man-1.5g-11tr.src.rpm

    SuSE is  NOT vulnerable  by this  bug, because  they use different
    code, which doesn't touch /tmp in a unsecure way.

    Linux-Mandrake recommends that affected customers upgrade to:

        6.0/RPMS/man-1.5g-15mdk.i586.rpm
        6.0/SRPMS/man-1.5g-15mdk.src.rpm
        6.1/RPMS/man-1.5g-15mdk.i586.rpm
        6.1/SRPMS/man-1.5g-15mdk.src.rpm
        7.0/RPMS/man-1.5g-15mdk.i586.rpm
        7.0/SRPMS/man-1.5g-15mdk.src.rpm
        7.1/RPMS/man-1.5g-15mdk.i586.rpm
        7.1/SRPMS/man-1.5g-15mdk.src.rpm