Bug 152663

Summary: Information leak in util-linux
Product: [Retired] Fedora Legacy Reporter: Jesse Keating <jkeating>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecified   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-05 22:44:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:23:10 UTC 
The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function.

In some situations, the login program could use a pointer that had been
freed and reallocated. This could cause unintentional data leakage.


https://rhn.redhat.com/errata/RHSA-2004-056.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0080

Note, this only affects 7.2



------- Additional Comments From bugs.michael 2004-02-03 07:09:08 ----

> this only affects 7.2

rh73: confirmed (the affected pwent2 patch is not applied in the spec file, and
the fix is in the util-linux-2.11n code already).




------- Additional Comments From jkeating 2004-02-03 16:43:37 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have rebuilt the last errata package from Red Hat for RHL 7.2 and included
the modified util-linux-2.11f-pwent2.patch from the RHEL 2.1 errata.

Patch applies, package builds, ldd and rpm -ql matches.  Files can be found
here:

http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-18.7.2.legacy.src.rpm
http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-18.7.2.legacy.i386.rpm
http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/sha1sums
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAIF5E4v2HLvE71NURAg9RAJ0XFc+DR8O+dr0+87xz+2NOzNFDdACaA0NU
T8eblBc7SxEMXDzMWAWCeQk=
=CvwY
-----END PGP SIGNATURE-----



------- Additional Comments From bugs.michael 2004-02-04 04:36:03 ----

* missing "Buildrequires: texinfo, gettext"




------- Additional Comments From jkeating 2004-02-04 06:20:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Added gettext and texinfo as buildreqs.  Bumped the build up by one.

http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-19.7.2.legacy.src.rpm
http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-19.7.2.legacy.i386.rpm
http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/sha1sums
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAIR4Y4v2HLvE71NURAi59AJ4ovrppumCmvW0CC2CJjs9nXWRKowCgl8n8
UajM77Bqj5UXAcPg7hlmi7Q=
=S1s5
-----END PGP SIGNATURE-----



------- Additional Comments From Freedom_Lover 2004-02-04 07:23:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

util-linux QA on Red Hat 7.2

using:

http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-19.7.2.legacy.src.rpm
http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-19.7.2.legacy.i386.rpm
http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/sha1sums

* sha1sums passes gpg verification
* sha1sums match downloaded files
* packages signed by Jesse Keating (j2Solutions) <jkeating>
  (gpg key 0xF13BD4D5)
* source rpm differs from previous RH 7.2 release only by updated patch + spec
* patch file matches the one from RHEL2.1AS[1]
* package builds fine on RH 7.2
* ldd on binaries in /bin, /sbin, /usr/bin, /usr/games, and /usr/sbin match
  previous RH package
* rpm -ql matches previous RH package

* basic functionality tests pass and match those of previous RH release for the
  following commands (those included in login-utils, which are affected by the
  patch):

  /bin/login
  /sbin/agetty (not tested)
  /usr/bin/chfn
  /usr/bin/chsh
  /usr/bin/newgrp
  /usr/sbin/vipw

[1]
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm

Vote PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iD8DBQFAISwGuv+09NZUB1oRAmO1AKDgcr6tZKWnsRNtz5XqPufsoftPKgCg6rGQ
KdVcMFhAAfxoe0Hj4Dip+VQ=
=c0lC
-----END PGP SIGNATURE-----



------- Additional Comments From Freedom_Lover 2004-02-05 07:54:03 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I almost hate to send this here, as it's a wider issue than just this bug...

My previous entry fails to verify due to a line that was wrapped by bugzilla
(the line with the ftp address of the RHEL2.1AS update, it should begin with
just [1] ftp://...).

I've seen Jesse ask about this elsewhere (in another bugzilla entry or on the
mailing list).  For these signatures to be useful, they have to be verifiable
by others.  There are two potential solutions I see:

    1) disable the wrapping done by bugzilla or configure it to wrap at a much
       higher number of characters than it does now.
    2) make sure all QA testers know about the line wrap issue and at what
       number of characters bugzilla will delightfully munge up their entry so
       they can keep under that number.

Option 1 would be my preference but I don't know how feasible this is with
bugzilla, epsecially since we're sharing bugzilla by the good graces of Warren
and fedora.us.

Option 2 is a small pain for QA testers, but it will work if it has to and
everyone posting clearsiged entries knows about the issue.  I already have my
editor set to wrap at 78 or 80 characters, but there are times where a line
gets longer than that (with URLs most often).

Unless one of you guys has a quick and easy way of solving this, I'll try to
post something to the mailing list so we can get a wider set of heads thinking
about it.  I think something has to be done or we're just making a mockery of
signing posts.

In the short term, does anyone know at what width bugzilla will wrap an entry?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iD8DBQFAIoTvuv+09NZUB1oRAonHAJ9L/eO2zliDphdcFQStcfJniwWgNACfXv0p
kTznz2QivFFsHPIbYblhoGE=
=rKeu
-----END PGP SIGNATURE-----



------- Additional Comments From jkeating 2004-02-11 21:02:35 ----

Pushed to updates-testing due to QA timeout.  Please verify for full release.



------- Additional Comments From rostetter.edu 2004-02-26 05:59:38 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
* Downloaded util-linux-2.11f-19.7.2.legacy.i386.rpm from
http://download.fedoralegacy.org/redhat/7.2/updates-testing/i386/
* Signaturei fingerprint checks out okay.
* RPM commands says md5 gpg is okay.
* Installed fine on 12 RH 7.2 machines.
* Logins still work, everything seems fine.
* Vote for publish...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFAPheR4jZRbknHoPIRAmBYAKCEfhIFnzCbZ9178sjLOH6HRxIg0ACgtfMH
kh81kNidlXIgZR52PNC8Agw=
=sXoS
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl 2005-03-30 18:23 -------

This bug previously known as bug 1256 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1256
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.