Bug 136323

Summary: CAN-2004-0966 temporary file vulnerabilities in various gettext scripts.
Product: [Retired] Fedora Legacy Reporter: Mark J. Cox <mjc>
Component: gettextAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: fc2CC: mattdm, pekkas, sheltren
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: LEGACY, rh90, 1, 2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-10 01:19:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch (needs backporting) none

Description Mark J. Cox 2004-10-19 11:00:38 UTC
On September 10th 2004, Trustix shared some temporary file
vulnerabilities with vendor-sec.  After some refinement these were
made public on Sep30.  These are minor issues (impact: LOW) and
therefore should be fixed in future updates, but don't deserve their
own security advisory.

Temporary file vulnerability in autopoint, gettextize scripts.  Patch
attached.  These issues don't affect the scripts shipped with gettext
in RHEL2.1, RHEL3.

Comment 1 Mark J. Cox 2004-10-19 11:01:37 UTC
Created attachment 105442 [details]
Proposed patch (needs backporting)

Comment 8 Matthew Miller 2005-04-11 22:20:46 UTC
[Bulk move of FC2 bugs to Fedora Legacy. See
<http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]

Comment 9 Marc Deslauriers 2005-04-20 23:30:58 UTC
See also bug 152810 

Comment 10 Jeff Sheltren 2005-10-20 12:03:24 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Created package for FC2 using above patch.

http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.14.1-2.1.1.legacy.src.rpm

88714980739f378a18a93d68fcf62b41bdc34660  gettext-0.14.1-2.1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDV4fxKe7MLJjUbNMRAqndAJ4iEIp3awHSHUeP2ny2RurV3A2LqACeIPqJ
2ZPfFt0753pLyKR06sXQaTw=
=MEP4
-----END PGP SIGNATURE-----

Comment 11 Pekka Savola 2005-10-21 08:54:52 UTC
Does this affect FC1?  If it doesn't affect RHEL3/2.1, I guess it doesn't affect
RHL73/9.

Comment 12 Jeff Sheltren 2005-10-21 11:18:53 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looking at the other bug, I had assumed that FC1 was not vulnerable,
but now that I look at it, it does have some (not all) of the patched
code.  I've patched the similar parts of code as were patched for
FC2, and there is a FC1 package here:

http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.12.1-1.1.legacy.src.rpm

8de2ebe8e6299c5b3b17d2c2a6f85686f5c07e23  gettext-0.12.1-1.1.legacy.src.rpm

I'll double check on the rh7 & rh9 packages later just to be sure
that they don't need to be patched.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDWM7cKe7MLJjUbNMRAsCuAJ93b3u6DPWUOXNSII6raGSttgOwdACeO3EK
ta9xpnl0TJPnrph6eKNTWoc=
=lpfB
-----END PGP SIGNATURE-----

Comment 13 Jeff Sheltren 2005-10-21 16:31:14 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Redhat 7.3 doesn't have any of the vulnerable code.  RH9 does have some
of it, so I've patched what's there that appears to be vulnerable.

Here's the RH9 package:
http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.11.4-7.1.legacy.src.rpm

52c7f683312d53c41cc046b8109dd073b122d3d5  gettext-0.11.4-7.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDWRg0Ke7MLJjUbNMRAvHTAKCQnL1FpwgEouo5OmvPkCOikRWNpgCcDxWK
pw8EpQMVCGtpAVhZXQC8kTQ=
=a7Iy
-----END PGP SIGNATURE----- 

Comment 14 Pekka Savola 2005-10-22 04:37:22 UTC
Thanks for the investigation.  Unless someone jumps in, I'll do QA for these
shortly..

Comment 15 Pekka Savola 2005-10-24 05:54:03 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - 0.14 patch verified to be the same as RHEL proposal and in Gentoo;
   0.12 removes a subset, 0.11 almost all.  Should be OK.
 
I noted one typo in 0.11 patch:
 
+if [ $? -ne 0 ]; then
+  echo "ERROR making $workd_dir"
+  exit 1
+fi
 
s/workd_dir/work_dir/
 
This can be fixed at build time, I think.
 
+PUBLISH RHL9, FC1, FC2
 
52c7f683312d53c41cc046b8109dd073b122d3d5  gettext-0.11.4-7.1.legacy.src.rpm
8de2ebe8e6299c5b3b17d2c2a6f85686f5c07e23  gettext-0.12.1-1.1.legacy.src.rpm
88714980739f378a18a93d68fcf62b41bdc34660  gettext-0.14.1-2.1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDXHdmGHbTkzxSL7QRAuFQAKDWp3W3R2K1lUK9rWgimFhoJciuEACfXvLd
/mw+pVBt89Hz1nSPI+fV1wI=
=C2Uo
-----END PGP SIGNATURE-----


Comment 16 Jeff Sheltren 2005-10-24 10:17:59 UTC
Thanks, Pekka.  Marc, if you want me to resubmit the 0.11 package (without the
typo), let me know.

Comment 17 Marc Deslauriers 2005-11-19 16:01:25 UTC
Packages were pushed to updates-testing

Comment 18 Pekka Savola 2005-11-28 18:25:31 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL9: signature OK, upgrades OK, rebuilding a couple of src.rpm's
using gettext works fine.

+VERIFY RH9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDi0wiGHbTkzxSL7QRAohhAJ9Wp9uRwEVNLFr8IJ7//HndPs/DkACgmG0j
/729E1CaT5KvL+EYinWrKjw=
=5Rni
-----END PGP SIGNATURE-----


Comment 19 Pekka Savola 2005-12-28 18:52:13 UTC
Timeout over.

Comment 20 Marc Deslauriers 2006-01-10 01:19:30 UTC
Packages were released to updates