Bug 136323
Summary: | CAN-2004-0966 temporary file vulnerabilities in various gettext scripts. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Mark J. Cox <mjc> | ||||
Component: | gettext | Assignee: | Fedora Legacy Bugs <bugs> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | fc2 | CC: | mattdm, pekkas, sheltren | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | LEGACY, rh90, 1, 2 | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-01-10 01:19:30 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Mark J. Cox
2004-10-19 11:00:38 UTC
Created attachment 105442 [details]
Proposed patch (needs backporting)
[Bulk move of FC2 bugs to Fedora Legacy. See <http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.] See also bug 152810 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Created package for FC2 using above patch. http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.14.1-2.1.1.legacy.src.rpm 88714980739f378a18a93d68fcf62b41bdc34660 gettext-0.14.1-2.1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDV4fxKe7MLJjUbNMRAqndAJ4iEIp3awHSHUeP2ny2RurV3A2LqACeIPqJ 2ZPfFt0753pLyKR06sXQaTw= =MEP4 -----END PGP SIGNATURE----- Does this affect FC1? If it doesn't affect RHEL3/2.1, I guess it doesn't affect RHL73/9. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looking at the other bug, I had assumed that FC1 was not vulnerable, but now that I look at it, it does have some (not all) of the patched code. I've patched the similar parts of code as were patched for FC2, and there is a FC1 package here: http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.12.1-1.1.legacy.src.rpm 8de2ebe8e6299c5b3b17d2c2a6f85686f5c07e23 gettext-0.12.1-1.1.legacy.src.rpm I'll double check on the rh7 & rh9 packages later just to be sure that they don't need to be patched. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDWM7cKe7MLJjUbNMRAsCuAJ93b3u6DPWUOXNSII6raGSttgOwdACeO3EK ta9xpnl0TJPnrph6eKNTWoc= =lpfB -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Redhat 7.3 doesn't have any of the vulnerable code. RH9 does have some of it, so I've patched what's there that appears to be vulnerable. Here's the RH9 package: http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.11.4-7.1.legacy.src.rpm 52c7f683312d53c41cc046b8109dd073b122d3d5 gettext-0.11.4-7.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDWRg0Ke7MLJjUbNMRAvHTAKCQnL1FpwgEouo5OmvPkCOikRWNpgCcDxWK pw8EpQMVCGtpAVhZXQC8kTQ= =a7Iy -----END PGP SIGNATURE----- Thanks for the investigation. Unless someone jumps in, I'll do QA for these shortly.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - 0.14 patch verified to be the same as RHEL proposal and in Gentoo; 0.12 removes a subset, 0.11 almost all. Should be OK. I noted one typo in 0.11 patch: +if [ $? -ne 0 ]; then + echo "ERROR making $workd_dir" + exit 1 +fi s/workd_dir/work_dir/ This can be fixed at build time, I think. +PUBLISH RHL9, FC1, FC2 52c7f683312d53c41cc046b8109dd073b122d3d5 gettext-0.11.4-7.1.legacy.src.rpm 8de2ebe8e6299c5b3b17d2c2a6f85686f5c07e23 gettext-0.12.1-1.1.legacy.src.rpm 88714980739f378a18a93d68fcf62b41bdc34660 gettext-0.14.1-2.1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDXHdmGHbTkzxSL7QRAuFQAKDWp3W3R2K1lUK9rWgimFhoJciuEACfXvLd /mw+pVBt89Hz1nSPI+fV1wI= =C2Uo -----END PGP SIGNATURE----- Thanks, Pekka. Marc, if you want me to resubmit the 0.11 package (without the typo), let me know. Packages were pushed to updates-testing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9: signature OK, upgrades OK, rebuilding a couple of src.rpm's using gettext works fine. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDi0wiGHbTkzxSL7QRAohhAJ9Wp9uRwEVNLFr8IJ7//HndPs/DkACgmG0j /729E1CaT5KvL+EYinWrKjw= =5Rni -----END PGP SIGNATURE----- Timeout over. Packages were released to updates |