Bug 114540

Summary: CAN-2003-1023 mc stack overflow
Product: [Fedora] Fedora Reporter: Leonard den Ottolander <leonard-rh-bugzilla>
Component: mcAssignee: Jakub Jelinek <jakub>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 1CC: bart.martens
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 4.6.0-8.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-02-09 15:56:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Leonard den Ottolander 2004-01-29 12:10:14 UTC 
A buffer overflow has been found in Midnight Commander's virtual
filesystem code. Specifically, a stack-based buffer overflow in
vfs_s_resolve_symlink of vfs/direntry.c allows remote attackers to
execute arbitrary code during symlink conversion.

Also see bug #113849 and bug #113850
Comment 1 Bart Martens 2004-02-04 21:19:29 UTC 
Included in:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/1/i386/mc-4.6.0-8.4.i386.rpm
Comment 2 Leonard den Ottolander 2004-02-04 21:32:26 UTC 
The patch was already included in 8.1, but at that time not announced
as a security update (actually not announced at all).

8.4 should be pushed to the main update tree ASAP as this is a serious
vulnerability and not every body runs or checks testing, so I assume
90% of people running Fedora are still vulnerable.