Overview
A buffer overflow exists in the gtop daemon.
Description
A buffer overflow in gtopd, specifically permitted(), may allow a remote attacker to execute arbitrary code. For more detailed information, please see Flavio Veloso's analysis. gtop background information |
Impact
A remote attacker may be able to execute arbitrary code with elevated privileges. Depending on the particular way gtop is built and implemented, it may also be possible for an attacker to read kernel memory. The ability to read kernel data is particularly dangerous because there is often sensitive data such as terminal activity, network traffic, and other types of privileged information residing in kernel memory space. Because of this, it may be possible for an attacker to leverage this vulnerability to gain root access to the local system, and possibly other systems interacting with the host running the gtop daemon. |
Solution
Apply a patch from your vendor. |
Vendor Information
Conectiva Affected
Updated: August 19, 2003
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : libgtop
SUMMARY : libgtop vulnerabilities
DATE : 2002-01-03 17:03:00
ID : CLA-2002:448
RELEVANT
RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0
- -------------------------------------------------------------------------
DESCRIPTION
LibGTop (from the Gnome project) is a library that fetches system
related information such as CPU Load, Memory Usage and running
processes. It includes a daemon (libgtop_daemon) which can be used to
monitor processes remotely.
There are two libgtop_daemon vulnerabilities addressed by this
advisory:
The first one[1] was found by the Laboratory intexxia and is related
to a format string vulnerability in the libgtop_daemon logging
mechanisms. The second[2] was found later[3] by Flavio Veloso when
investigating the first and is a buffer overflow in the same part of
the code.
By exploiting any of the vulnerabilities an attacker would be able to
execute arbitrary code with the privileges of the user libgtop_daemon
is running as.
Notice that libgtop_daemon is not invoked by default anywhere in
Conectiva Linux, even if you're running Gnome as your desktop.
SOLUTION
All libgtop users should upgrade. Notice that if you're running
libgtop_daemon, it must be restarted manually after the new packages
get installed.
REFERENCES:
1.http://www.securityfocus.com/archive/1/242542
2.http://www.securityfocus.com/bid/3594
3.http://www.securityfocus.com/archive/1/242922
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/libgtop-1.0.13-U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/libgtop-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/libgtop-devel-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/libgtop-devel-static-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/libgtop-examples-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/libgtop-1.0.13-U51_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/libgtop-1.0.13-U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/libgtop-devel-1.0.13-U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/libgtop-devel-static-1.0.13-U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/libgtop-examples-1.0.13-U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/libgtop-1.0.13-U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libgtop-1.0.13-U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libgtop-devel-1.0.13-U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libgtop-devel-static-1.0.13-U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libgtop-examples-1.0.13-U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/libgtop-1.0.13-U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgtop-1.0.13-U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgtop-devel-1.0.13-U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgtop-devel-static-1.0.13-U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgtop-examples-1.0.13-U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/libgtop-1.0.13-U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/libgtop-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/libgtop-devel-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/libgtop-devel-static-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/libgtop-examples-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/libgtop-1.0.13-U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/libgtop-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/libgtop-devel-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/libgtop-devel-static-1.0.13-U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/libgtop-examples-1.0.13-U50_2cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(replace 6.0 with the correct version number if you are not running CL6.0)
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8NKsf42jd0JmAcZARAk3AAJ9LdGate06r1wYr4IxQ6BGxaMu13QCg0838
jyQcvhBuJ1uhU92xksMZCts=
=t6HB
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Affected
Updated: August 19, 2003
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 301-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
May 7th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : libgtop
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE Id : CAN-2001-0928
The gtop daemon, used for monitoring remote machines, contains a
buffer overflow which could be used by an attacker to execute
arbitrary code with the privileges of the daemon process. If started
as root, the daemon process drops root privileges, assuming uid and
gid 99 by default.
This bug was previously fixed in DSA-098, but one of the patches was
not carried over to later versions of libgtop.
For the stable distribution (woody), this problem has been fixed in
version 1.0.13-3.1.
For the old stable distribution (potato), this problem was fixed in
DSA-098.
For the unstable distribution (sid), this problem has been fixed in
version 1.0.13-4.
We recommend that you update your libgtop package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Source archives:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop_1.0.13-3.1.dsc
Size/MD5 checksum: 742 d8b98133751cf060976c9408db0ff093
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop_1.0.13-3.1.diff.gz
Size/MD5 checksum: 44463 bb21f0a1bd686b162c9851ba452f4289
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop_1.0.13.orig.tar.gz
Size/MD5 checksum: 1055646 305abba436c212f50d4be28464a14452
Alpha architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_alpha.deb
Size/MD5 checksum: 43264 4af8089b686ee59cd1d1225643c0d1f7
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_alpha.deb
Size/MD5 checksum: 96356 6a37044e96ff0239c45fc6f19f6c5dc2
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_alpha.deb
Size/MD5 checksum: 248634 5a44c6ea924b7aa736d9375cff26ec1f
ARM architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_arm.deb
Size/MD5 checksum: 36944 afe9a4aaed8a0b429c87a1ac877a9364
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_arm.deb
Size/MD5 checksum: 75506 3d6cd73ce1fe9822dcbc000aa1f1eeb1
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_arm.deb
Size/MD5 checksum: 238746 a27306da18597d1f16c47da1fbeadf32
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_i386.deb
Size/MD5 checksum: 34288 b438bc41433c695fb9d7fe07c3d2c678
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_i386.deb
Size/MD5 checksum: 68526 470c085a4889f3d4bb685714a78a2ba3
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_i386.deb
Size/MD5 checksum: 234472 fce8f02aa1ec650c97ca849347a6a6d9
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_ia64.deb
Size/MD5 checksum: 55294 ac0962f6c408d0d543e4619fc1b9f267
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_ia64.deb
Size/MD5 checksum: 96220 5c14d64a314a2f5d9d0c102191c83263
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_ia64.deb
Size/MD5 checksum: 261596 104bb162235b358d14739d330fbb6cf3
HP Precision architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_hppa.deb
Size/MD5 checksum: 45726 03c799666f873c07b1ec9fdca6616c19
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_hppa.deb
Size/MD5 checksum: 91808 682b57ef285c3f4f5e63256da3522abf
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_hppa.deb
Size/MD5 checksum: 252070 02c9e95967181d484f4cb640d2215544
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_m68k.deb
Size/MD5 checksum: 31702 51dce78a6ce959dca7a3c30b148b2dac
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_m68k.deb
Size/MD5 checksum: 66270 53e915869cede47a1222a594cf000a19
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_m68k.deb
Size/MD5 checksum: 236228 fbfe68bc3b3e7f59c6c5ac1e8a390db5
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_mips.deb
Size/MD5 checksum: 39278 b6a7e5c105bc2ff300b741e622d8fbf7
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_mips.deb
Size/MD5 checksum: 85472 cbf44782f41e118377095e891b644652
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_mips.deb
Size/MD5 checksum: 237088 6eb536c77789d78d1148f403be96224f
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_mipsel.deb
Size/MD5 checksum: 39268 22a8697fe32914f174bbcb0b6df3a31d
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_mipsel.deb
Size/MD5 checksum: 84886 60478179b0d799d7f1b9b4054b92651e
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_mipsel.deb
Size/MD5 checksum: 236090 09511bd03e15a7406d1e3ff53539b8f9
PowerPC architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_powerpc.deb
Size/MD5 checksum: 38482 4e9a32f03aaeadb907adb9af45d85f87
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_powerpc.deb
Size/MD5 checksum: 83572 e2e7787edf237648ea54ac632a4b2381
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_powerpc.deb
Size/MD5 checksum: 242272 14501e5693ea5abdc2fafb3782b3debf
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_s390.deb
Size/MD5 checksum: 36654 f5d57a194e633d5a2191778ef5218ac2
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_s390.deb
Size/MD5 checksum: 72910 a8a9628160987055203cf5f8ae1b12e6
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_s390.deb
Size/MD5 checksum: 240116 40af0421bbd5a92e84540683fac6b885
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-daemon_1.0.13-3.1_sparc.deb
Size/MD5 checksum: 37686 ce3a10914e50207a77604c1715c85250
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop-dev_1.0.13-3.1_sparc.deb
Size/MD5 checksum: 75498 9afbe1178be469d7539dfcd0680b754e
http://security.debian.org/pool/updates/main/libg/libgtop/libgtop1_1.0.13-3.1_sparc.deb
Size/MD5 checksum: 251350 b18457f3a1104a72f2180d56cc4fa5f7
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+uSXJArxCt0PiXR4RAgODAJoD0PFjAKrkwyyLbJPKYop7jQKCDQCgxqT3
30UXdHNHU/iwMiNjRwTtyq0=
=S9lt
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Affected
Updated: August 19, 2003
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:65 Security Advisory
FreeBSD, Inc.
Topic: Buffer overflow in libgtop_server
Category: ports
Module: libgtop
Announced: 2001-12-11
Credits: Flavio Veloso <flaviovs@magnux.com>
Affects: Ports collection prior to the correction date
Corrected: 2001-11-29 15:06:19 UTC
FreeBSD only: NO
I. Background
libgtop is a library for gtop, the GNOME version of the top command.
The top command is a tool to display and update information about the
top cpu processes.
II. Problem Description
The libgtop port versions prior to libgtop-1.0.12_1 contain a stack
buffer overflow in libgtop_server, allowing an arbitrary amount of
data from the client application (assumed to be gtop) to be read
into a fixed-sized buffer. A local attacker can exploit this bug to
cause libgtop_server to execute arbitrary code. libgtop_server runs
with increased privileges as a member of group kmem, which allows
it to read kernel memory (but not write it). A process with the
ability to read from kernel memory can monitor privileged data such as
network traffic, disk buffers and terminal activity, and may be able
to leverage this to obtain further privileges on the local system or
on other systems, including root privileges.
The libgtop port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
A successful exploit of this stack buffer overflow would allow an
attacker arbitrary access to kernel memory, possibly acquiring
information allowing further increases in privileges.
No exploit is known to exist at this time, and it is not known
whether this buffer overflow is exploitable even in theory. In any
case, local access to the machine on which libgtop_server is running
is required to attempt an attack.
IV. Workaround
1) Deinstall the libgtop port/package if you have it installed.
OR
2) Remove the setgid bit from the libgtop_server executable by
executing the following command as root:
# chmod g-s `which libgtop_server`
V. Solution
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/libgtop-1.0.12_1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/libgtop-1.0.12_1.tar.gz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
NOTE: It may be several days before updated packages are available. Be
sure to check the file creation date on the package, because the
version number of the software has not changed.
3) Download a new port skeleton for the libgtop port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
Path Revision
- -------------------------------------------------------------------------
ports/devel/libgtop/Makefile 1.45
ports/devel/libgtop/files/patch-src::daemon::gnuserv.c 1.1
- -------------------------------------------------------------------------
VII. References
<URL:http://www.securityfocus.com/archive/1/242922>
-----BEGIN PGP SIGNATURE-----
Comment: http://www.nectar.cc/pgp
iQCVAwUBPBY6xlUuHi5z0oilAQHwmQQAh3KtiIcKjmw5e9B2ABmdRYlwWFVEgN9F
QlUj8NqiDUaekQoLb5p923Y8VC0/9e/alRrnvd4kcmVmU8PUpXNaMp4cHz1mHnLQ
7w4QQ+qzmEOGJFOiUjE21FY8gPR3HH2rKiIOJyeHezRkUqhWMqlERJ08hnmtqjib
2TukQesxbzw=
=gyPX
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Affected
Updated: August 19, 2003
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
Mandrake Linux Security Update Advisory
________________________________________________________________________
Package name: libgtop
Date: December 19th, 2001
Advisory ID: MDKSA-2001:094
Affected versions: 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1
________________________________________________________________________
Problem Description:
A remote format string vulnerability was found in the libgtop daemon by
Laboratory intexxia. By sending a specially crafted format string to
the server, a remote attacker could potentially execute arbitrary code
on the remote system with the daemon's permissions. By default libgtop
runs as the user nobody, but the flaw could be used to compromise local
system security by allowing the attacker to exploit other local
vulnerabilities. A buffer overflow was also found by Flavio Veloso
which could allow the client to execute code on the server. Both
vulnerabilities are patched in this update and will be fixed upstream
in version 1.0.14. libgtop_daemon is not invoked by default anywhere
in Mandrake Linux.
________________________________________________________________________
References:
http://www.securityfocus.com/bid/3594
________________________________________________________________________
Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command:
rpm --checksig package.rpm
You can get the GPG public key of the Mandrake Linux Security Team at:
https://www.mandrakesecure.net/RPM-GPG-KEYS
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.
Linux-Mandrake 7.1:
4460a5e35ae7d547298577edeff6f599 7.1/RPMS/libgtop-1.0.7-0.2mdk.i586.rpm
f9475e8907edcc20aade65e50829f609 7.1/RPMS/libgtop-devel-1.0.7-0.2mdk.i586.rpm
597321a95fbf7bc1e23510f478fb78e5 7.1/SRPMS/libgtop-1.0.7-0.2mdk.src.rpm
Linux-Mandrake 7.2:
a7884a2c6af568510428aa02a354a30c 7.2/RPMS/libgtop-1.0.9-5.1mdk.i586.rpm
00d86824f66784890e348752144a476f 7.2/RPMS/libgtop-devel-1.0.9-5.1mdk.i586.rpm
6515e7d2a32b750062833cb59dbc64e7 7.2/SRPMS/libgtop-1.0.9-5.1mdk.src.rpm
Mandrake Linux 8.0:
2a063541aa9f9a100dd4c65b732224fd 8.0/RPMS/libgtop1-1.0.12-4.1mdk.i586.rpm
fb4cfb4b72e16121a6dab24e093b1de3 8.0/RPMS/libgtop1-devel-1.0.12-4.1mdk.i586.rpm
ae5c879fd1557cf964c4da572597ee94 8.0/SRPMS/libgtop-1.0.12-4.1mdk.src.rpm
Mandrake Linux 8.0 (PPC):
8e1dbba939c6281e22f57056dea4bb21 ppc/8.0/RPMS/libgtop1-1.0.12-4.1mdk.ppc.rpm
573688a8cdb56d2f07b8fc014784d036 ppc/8.0/RPMS/libgtop1-devel-1.0.12-4.1mdk.ppc.rpm
ae5c879fd1557cf964c4da572597ee94 ppc/8.0/SRPMS/libgtop-1.0.12-4.1mdk.src.rpm
Mandrake Linux 8.1:
20b663d5dd475a7fdc3a538f1a2a3eef 8.1/RPMS/libgtop1-1.0.12-4.1mdk.i586.rpm
0bcd19f280c7723e098918bbc68f52af 8.1/RPMS/libgtop1-devel-1.0.12-4.1mdk.i586.rpm
ae5c879fd1557cf964c4da572597ee94 8.1/SRPMS/libgtop-1.0.12-4.1mdk.src.rpm
Mandrake Linux 8.1 (IA64):
31f68bbde5ead6d8262c5b5cfb056918 ia64/8.1/RPMS/libgtop1-1.0.12-4.1mdk.ia64.rpm
c454857c349043d5f20b7b34d61fe1b2 ia64/8.1/RPMS/libgtop1-devel-1.0.12-4.1mdk.ia64.rpm
ae5c879fd1557cf964c4da572597ee94 ia64/8.1/SRPMS/libgtop-1.0.12-4.1mdk.src.rpm
Corporate Server 1.0.1:
4460a5e35ae7d547298577edeff6f599 1.0.1/RPMS/libgtop-1.0.7-0.2mdk.i586.rpm
f9475e8907edcc20aade65e50829f609 1.0.1/RPMS/libgtop-devel-1.0.7-0.2mdk.i586.rpm
597321a95fbf7bc1e23510f478fb78e5 1.0.1/SRPMS/libgtop-1.0.7-0.2mdk.src.rpm
________________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________
Before applying this update, make sure all previously released updates
relevant to your system have been applied. To upgrade automatically,
use MandrakeUpdate.
If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".
You can download the updates directly from one of the mirror sites
listed at:
http://www.linux-mandrake.com/en/ftp.php3.
Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for
Mandrake Linux 8.1, look for it in "updates/8.1/RPMS/". Updated source
RPMs are available as well, but you generally do not need to download
them.
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other security advisories for Mandrake Linux at:
http://www.linux-mandrake.com/en/security/
If you want to report vulnerabilities, please contact
security@linux-mandrake.com
________________________________________________________________________
Mandrake Linux has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
________________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security@linux-mandrake.com>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8IOH4mqjQ0CJFipgRAg01AJ9Zw+h0aDLMuboVJJVGhLkOEhTWtgCgsHQ4
5PJ8ucbKfZAtX/ORnk69FPw=
=rvkp
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was discovered by Flavio Veloso.
This document was written by Ian A. Finlay.
Other Information
| CVE IDs: | CVE-2001-0928 |
| Severity Metric: | 9.62 |
| Date Public: | 2001-11-28 |
| Date First Published: | 2003-08-19 |
| Date Last Updated: | 2003-08-19 19:55 UTC |
| Document Revision: | 49 |