Bug 152658

Summary: bug in mc - gnu midnight commander
Product: [Retired] Fedora Legacy Reporter: Seth Vidal <skvidal>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecified   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://linux.duke.edu/~skvidal/RPMS/fedoralegacy/mc/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:23:02 UTC 
This is the bug:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023
This is the patch
http://linux.duke.edu/~skvidal/RPMS/fedoralegacy/mc/mc-vfs-tar-symlink.patch

This is the srpm:
http://linux.duke.edu/~skvidal/RPMS/fedoralegacy/mc/mc-4.5.55-5.7.3.legacy.src.rpm

This is the rpm for 7.3 i386:
http://linux.duke.edu/~skvidal/RPMS/fedoralegacy/mc/mc-4.5.55-5.7.3.legacy.i386.rpm

This is your brain on drugs.

The pkgs are signed with my key.
I've tested the fix with the exploit, it does fix it.



------- Additional Comments From jkeating 2004-01-16 20:58:29 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I just tested the latest mc for RHL 7.2 and it is not vulnerable to this flaw.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFACN3R4v2HLvE71NURAni7AJ0WQnK9nEzz9JfJZRJqofprl0DwwgCggPlF
o1rcJWqlHkvAjqFfxwTPxe0=
=78u8
-----END PGP SIGNATURE-----




------- Additional Comments From warren 2004-01-16 21:37:57 ----

Is anyone working on the rh80 equivalent?




------- Additional Comments From warren 2004-01-17 02:23:12 ----

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=113756
If they are relevant to this older version, please consider including package
spec cleanups suggested in my attachment here.  Also see my thread on
fedora-devel about BuildRequires.



------- Additional Comments From jkeating 2004-01-17 07:33:53 ----

Looks like us non-redhat people can't access that bug Warren.  I was going to
start work on the 8.0 port today, what's the gist of the bug?



------- Additional Comments From jkeating 2004-01-17 09:14:27 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                                                               
                     
                                                                               
                                                                               
                     
I just tested the latest mc for RHL 8.0 and it is not vulnerable to this flaw.
                                                                               
                                                                               
                     
Or at least the exp.tgz file that we're supposed to test with doesn't crash mc.
Is there a better way to test for this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
                                                                               
                                                                               
                     
iD8DBQFACYpz4v2HLvE71NURAnvSAKCKtaZsi+vPntWwfdUZps4LwCuDWQCgiH1x
OXcTNrm7fpoNquDDkP6o748=
=Dljj
-----END PGP SIGNATURE-----




------- Additional Comments From warren 2004-01-17 11:10:03 ----

Created an attachment (id=514)
mc.spec

mc.spec from 4.6.0-9 that should hit rawhide later today.  Please consider
merging some or all of the package cleanups from this spec, but make sure they
are relevant to the 4.5.x series first.

See my discussion on fedora-devel list about ldd output, since without adding
the BuildRequires the features of the package are very different when built
with the fedora.us build system.



------- Additional Comments From jkeating 2004-01-18 10:34:36 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
 
These are seth's rpms, just slightly modified.  Changed the patch name to have
the CVE number in it, and changed the version of the package to meet legacy
package version guide lines (that aren't public yet...)
 
These are for 7.3.  I'll be uploading 8.0 and 7.2 packages soon.  The vuln is
not testable by the exp.tgz file linked in the CVE report, but this patch applies
cleanly to the versions of 7.2, 7.3 and 8.0.  In my book, that means we should
patch it.
 
Warren, for Legacy packages, I want to change as very little as possible.  This
means
that I won't be adding your spec fixes, as it could possibly introduce problems
into the
package, more than just adding the patch and moving on.
 
RHL 7.3 rpm:
http://geek.j2solutions.net/rpms/legacy/mc/7.3/mc-4.5.55-6.legacy.i386.rpm
RHL 7.3 srpm:
http://geek.j2solutions.net/rpms/legacy/mc/7.3/mc-4.5.55-6.legacy.src.rpm
md5's: http://geek.j2solutions.net/rpms/legacy/mc/7.3/md5sums
 
Packages are signed with my pubkey.
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFACu7C4v2HLvE71NURAi0iAKCk6hLhQ0dF8cI7nUAXZd2/qKYPIwCcDqEb
sS0o/yidDv5lyIwGl/VUyFU=
=6gdC
-----END PGP SIGNATURE-----



------- Additional Comments From jkeating 2004-01-18 15:35:37 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
 
7.2 RPMS
 
http://geek.j2solutions.net/rpms/legacy/mc/7.2/mc-4.5.51-37.legacy.i386.rpm
http://geek.j2solutions.net/rpms/legacy/mc/7.2/mc-4.5.51-37.legacy.src.rpm
 
md5 for 7.2
 
http://geek.j2solutions.net/rpms/legacy/mc/7.2/md5sums
 
8.0 RPMS
 
http://geek.j2solutions.net/rpms/legacy/mc/8.0/mc-4.5.55-13.legacy.i386.rpm
http://geek.j2solutions.net/rpms/legacy/mc/8.0/mc-4.5.55-13.legacy.src.rpm
 
md5 for 8.0
 
http://geek.j2solutions.net/rpms/legacy/mc/8.0/md5sums
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFACzVO4v2HLvE71NURAjgsAKC+eaSjAUyQpF8uGKlleIY6hEQwSQCgvsTJ
D87soc6rbCrPlbNW1i9FKiY=
=Yngg
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-01-18 22:00:48 ----

In reply to comment 7, rh73 src.rpm:

* Missing buildrequires:

slang-devel
e2fsprogs-devel
gettext
db1-devel
libtermcap-devel

* Wrong buildrequires:

slang

* The explicit dependency on "pam" and /etc/pam.d/system-auth is only for the
"mcserv" sub-package which is compiled (missing buildrequires "pam-devel"), but
it's disabled in the %files section. Also see "grep mcserv mc.spec". :)



------- Additional Comments From bugs.michael 2004-01-25 12:20:34 ----

Maybe these help speeding up the release of updates. They are based on Jesse's.

Signed update src.rpms:

rh72: http://xmms-fc.sf.net/mc-4.5.51-37.legacy.src.rpm
rh73: http://xmms-fc.sf.net/mc-4.5.55-6.legacy.src.rpm
rh80: http://xmms-fc.sf.net/mc-4.5.55-13.legacy.src.rpm

SHA1 sums:

6e1405363325193dc4d2f215120ad6a2ab695718  mc-4.5.51-37.legacy.src.rpm
4223eb46deb729692811c62829f58d7cf1110dc2  mc-4.5.55-13.legacy.src.rpm
e9d6a9cc883b9709dd04274e82eb395a84a47214  mc-4.5.55-6.legacy.src.rpm




------- Additional Comments From jkeating 2004-02-23 21:56:13 ----

Pushed to updates-testing.



------- Additional Comments From jpdalbec 2004-02-25 09:35:29 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RHL 7.3: ++VERIFY

d56d82b210636fe30c09d0ce09b38cf8572e4ab5  mc-4.5.55-6.legacy.i386.rpm

I installed mc.  It passes basic functional tests (help, switching directories,
copying a file from one directory to another).

The filelists match.  For some reason I did not have the /usr/share/locale
files installed previously.  It must be something in Anaconda since the boxes
where I installed Red Hat 7.3 on top of 7.1 by upgrading individual RPMs have
the files installed.

The ldd output matches.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAPPe4JL4A+ldA7asRAlg5AKClr1YY82R5q5rCMnJNAd0nD86DiQCgl2xX
jU/8amLLnY1zfPXD6kt9Vwg=
=yoAl
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-04-02 07:23:09 ----

Tested on redhat 7.3

e8ce027dd29a8d8d86b7f3fa20d32e69  mc-4.5.55-6.legacy.i386.rpm

Installs and runs successfully. The changelog entry seems to be missing though
(in rpm -q --changelog)

But - md5sum differs from the announcement and the above report!
gpg and internal md5 matches:

[dom@isay updates-testing]$ rpm --checksig mc-4.5.55-6.legacy.i386.rpm 
mc-4.5.55-6.legacy.i386.rpm: md5 gpg OK

-rw-r--r--    1 root     root      1573230 Feb 24 07:22 mc-4.5.55-6.legacy.i386.rpm

This was downloaded from
http://www.mirror.ac.uk/sites/download.fedoralegacy.org/legacy/redhat/7.3/updates-testing/i386/
- same from
http://ftp.heanet.ie/mirrors/download.fedoralegacy.org/redhat/7.3/updates-testing/i386/



------- Additional Comments From dom 2004-04-02 07:51:15 ----

You can ignore the md5 part of that of course - I didn't realise they were
actually sha1sums! It should probably be made clear on the advisories..,



------- Additional Comments From bugs.michael 2004-04-02 09:03:06 ----

What changelog entry do you think is missing?




------- Additional Comments From dom 2004-04-08 13:41:34 ----

Changelog seems to be fine. Must've had another bad day; I also managed not to
add myself to the CC list for this bug. Sorry!



------- Bug moved to this database by dkl 2005-03-30 18:23 -------

This bug previously known as bug 1224 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1224
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
mc.spec
https://bugzilla.fedora.us/attachment.cgi?action=view&id=514

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.