Debian Security Advisory
tcsh -- local exploit
- Date Reported:
- 11 Nov 2000
- Affected Packages:
-
tcsh
tcsh-i18n
tcsh-kanji - Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-1134.
- More information:
- Proton reported on bugtraq that tcsh did not handle in-here documents correctly. The version of tcsh that is distributed with Debian GNU/Linux 2.2r0 also suffered from this problem. When using in-here documents using the << syntax tcsh uses a temporary file to store the data. Unfortunately the temporary file is not created securely and standard symlink attacks can be used to make tcsh overwrite arbitrary files. This has been fixed in version 6.09.00-10 and we recommend that you upgrade your tcsh package immediately.
- Fixed in:
-
Debian GNU/Linux 2.2 (potato)
- Source:
- http://security.debian.org/dists/potato/updates/main/source/tcsh_6.09.00-10.diff.gz
- http://security.debian.org/dists/potato/updates/main/source/tcsh_6.09.00-10.dsc
- http://security.debian.org/dists/potato/updates/main/source/tcsh_6.09.00.orig.tar.gz
- http://security.debian.org/dists/potato/updates/main/source/tcsh_6.09.00-10.dsc
- Architecture-independent component:
- http://security.debian.org/dists/potato/updates/main/binary-all/tcsh-i18n_6.09.00-10_all.deb
- Alpha:
- http://security.debian.org/dists/potato/updates/main/binary-alpha/tcsh_6.09.00-10_alpha.deb
- http://security.debian.org/dists/potato/updates/main/binary-alpha/tcsh-kanji_6.09.00-10_alpha.deb
- http://security.debian.org/dists/potato/updates/main/binary-alpha/tcsh-kanji_6.09.00-10_alpha.deb
- ARM:
- http://security.debian.org/dists/potato/updates/main/binary-arm/tcsh_6.09.00-10_arm.deb
- http://security.debian.org/dists/potato/updates/main/binary-arm/tcsh-kanji_6.09.00-10_arm.deb
- http://security.debian.org/dists/potato/updates/main/binary-arm/tcsh-kanji_6.09.00-10_arm.deb
- Intel IA-32:
- http://security.debian.org/dists/potato/updates/main/binary-i386/tcsh_6.09.00-10_i386.deb
- http://security.debian.org/dists/potato/updates/main/binary-i386/tcsh-kanji_6.09.00-10_i386.deb
- http://security.debian.org/dists/potato/updates/main/binary-i386/tcsh-kanji_6.09.00-10_i386.deb
- Motorola 680x0:
- http://security.debian.org/dists/potato/updates/main/binary-m68k/tcsh_6.09.00-10_m68k.deb
- http://security.debian.org/dists/potato/updates/main/binary-m68k/tcsh-kanji_6.09.00-10_m68k.deb
- http://security.debian.org/dists/potato/updates/main/binary-m68k/tcsh-kanji_6.09.00-10_m68k.deb
- PowerPC:
- http://security.debian.org/dists/potato/updates/main/binary-powerpc/tcsh_6.09.00-10_powerpc.deb
- http://security.debian.org/dists/potato/updates/main/binary-powerpc/tcsh-kanji_6.09.00-10_powerpc.deb
- http://security.debian.org/dists/potato/updates/main/binary-powerpc/tcsh-kanji_6.09.00-10_powerpc.deb
- Sun SPARC:
- http://security.debian.org/dists/potato/updates/main/binary-sparc/tcsh_6.09.00-10_sparc.deb
- http://security.debian.org/dists/potato/updates/main/binary-sparc/tcsh-kanji_6.09.00-10_sparc.deb
- http://security.debian.org/dists/potato/updates/main/binary-sparc/tcsh-kanji_6.09.00-10_sparc.deb