Rapid7 Vulnerability & Exploit Database

RHSA-2003:039: Updated im packages fix insecure handling of temporary files

Back to Search

RHSA-2003:039: Updated im packages fix insecure handling of temporary files

Severity
2
CVSS
(AV:L/AC:L/Au:N/C:N/I:P/A:N)
Published
01/17/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

New im packages are available that fix the insecure handling of temporary files. [Updated 7 July 2003] Added packages for Red Hat Linux on IBM iSeries and pSeries systems.

Internet Message (IM) is a series of user interface commands and backend Perl5 libraries that integrate email and the NetNews user interface. They are designed to be used from both the Mew mail reader for Emacs and the command line. A vulnerability has been discovered by Tatsuya Kinoshita in the way two IM utilities create temporary files. By anticipating the names used to create files and directories stored in /tmp, it may be possible for a local attacker to corrupt or modify data as another user. Red Hat Linux 7, 7.1, and 7.2 included IM packages that are vulnerable to this issue. This erratum includes IM version 143 which is not vulnerable to this issue. Red Hat Linux 7.3, and 8.0 included Mew (Messaging in the Emacs World) packages which included vulnerable versions of IM. This erratum provide updated Mew packages including IM version 143 which is not vulnerable to this issue.

Solution(s)

  • redhat-upgrade-im
  • redhat-upgrade-mew
  • redhat-upgrade-mew-common
  • redhat-upgrade-mew-xemacs

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;