Home > Security > Advisories


Mandriva Advisories

Package name exmh
Date January 26th, 2001
Advisory ID MDKSA-2001:015
Affected versions 6.0, 6.1, 7.0, 7.1, 7.2, CS1.0
Synopsis Updated exmh packages fix temporary file insecurities

Problem Description

All versions of exmh prior to 2.3.1 use the /tmp directory for storing
temporary files. This was done in an insecure manner as exmh did not
check to ensure that nobody placed a symlink with the same name in /tmp
in the meantime and thus was vulnerable to a symlink attack. This
could lead to a malicious local user being able to overwrite any file
writable by the user executing exmh. These updated versions of exmh
now use /tmp/username unless TMPDIR or EXMHTMPDIR is set.

Updated Packages

Mandrakelinux 6.0

 df41f52609427ea68a23cabec9e5ecdf  6.0/RPMS/exmh-2.0.2-8.1mdk.noarch.rpm
8a2a479d1ed9a982e97745d62cd22a31  6.0/SRPMS/exmh-2.0.2-8.1mdk.src.rpm

Mandrakelinux 6.1

 2d5601696033fb25e51712f2d510467f  6.1/RPMS/exmh-2.0.3-8.1mdk.noarch.rpm
92ca9c194cc6114f75ba33041a425330  6.1/SRPMS/exmh-2.0.3-8.1mdk.src.rpm

Mandrakelinux 7.0

 236ee27fb0498b1cc3c696d5d81c321f  7.0/RPMS/exmh-2.1.1-5.1mdk.noarch.rpm
58d6b7a0c0c95005c5f5d924d5edab19  7.0/SRPMS/exmh-2.1.1-5.1mdk.src.rpm

Mandrakelinux 7.1

 a34c9cc91e5a5b365c7cdfe4565a29fd  7.1/RPMS/exmh-2.1.1-5.1mdk.noarch.rpm
58d6b7a0c0c95005c5f5d924d5edab19  7.1/SRPMS/exmh-2.1.1-5.1mdk.src.rpm

Mandrakelinux 7.2

 efdd5d3fecc72805d1099693a6dfc7cb  7.2/RPMS/exmh-2.2-4.1mdk.noarch.rpm
1ac6b56522683d758aeda0e2c14fb7b6  7.2/SRPMS/exmh-2.2-4.1mdk.src.rpm

Corporate Server 1.0.1

 a34c9cc91e5a5b365c7cdfe4565a29fd  1.0.1/RPMS/exmh-2.1.1-5.1mdk.noarch.rpm
58d6b7a0c0c95005c5f5d924d5edab19  1.0.1/SRPMS/exmh-2.1.1-5.1mdk.src.rpm


To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.