Stilgar
16th May 2003, 19:49
Security Advisory - RHSA-2003:169-08
------------------------------------------------------------------------------
Summary:
Updated lv packages fix vulnerability
New lv packages that fix the possibility of local root exploit are now
available.
Description:
Lv is a powerful file viewer similar to less. It can decode and encode
multilingual streams through many coding systems, such as ISO-8859,
ISO-2022, EUC, SJIS Big5, HZ, and Unicode.
A bug has been found in versions of lv that read a .lv file in the current
directory. Local attackers can use this to place an .lv file in any
directory to which they have write access. Any user who subsequently runs
lv in that directory and uses the v (edit) command can be forced to execute
an arbitrary program.
Users are advised to upgrade to these erratum packages, which contain a
version of lv that is patched to read the .lv configuration file only in
the user's home directory.
References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=190941
------------------------------------------------------------------------------
Summary:
Updated lv packages fix vulnerability
New lv packages that fix the possibility of local root exploit are now
available.
Description:
Lv is a powerful file viewer similar to less. It can decode and encode
multilingual streams through many coding systems, such as ISO-8859,
ISO-2022, EUC, SJIS Big5, HZ, and Unicode.
A bug has been found in versions of lv that read a .lv file in the current
directory. Local attackers can use this to place an .lv file in any
directory to which they have write access. Any user who subsequently runs
lv in that directory and uses the v (edit) command can be forced to execute
an arbitrary program.
Users are advised to upgrade to these erratum packages, which contain a
version of lv that is patched to read the .lv configuration file only in
the user's home directory.
References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=190941