Bug 152705

This is discussed for Red Hat 9 in RHSA-2004-173 (linked from this bug).

I do not know whether these vulnerabilities affect Red Hat 7.2 through 8.0.



------- Additional Comments From skvidal.edu 2004-04-30 20:18:33 ----

boy - those cve reports are _really_ helpful.
</sarcasm>




------- Additional Comments From jonny.strom 2004-05-02 04:19:25 ----

An MC uppdate for rh 7.3 that is continued from  mc-4.5.55-6.legacy.src.rpm are
avalible. This backport is based on the Debian woody3 patch for mc-4.5.55. Basic
testing was done and mc is working as expected. 

Please QA and dowload from the uppdate from:

http://av8.netikka.fi/~johnny/fedora_legacy/rh73/

http://213.250.83.8/~johnny/fedora_legacy/rh73/mc-4.5.55-7.legacy.i386.rpm
30ef9ae0073b20f9fd9290851de4d2f8

http://213.250.83.8/~johnny/fedora_legacy/rh73/mc-4.5.55-7.legacy.src.rpm
d037f8f2f32e63bd0a286a6cb8517004

http://213.250.83.8/~johnny/fedora_legacy/rh73/mc-security_CAN-2004-0226.patch
160fc644722f754326dbcce57bd12cbc



------- Additional Comments From dwb7.edu 2004-05-04 05:48:39 ----

Hash: SHA1

rebuild source on 7.3

rpmlint shows the following patches not applied:

W: mc patch-not-applied Patch2: mc-4.5.35-fixwarning.patch
W: mc patch-not-applied Patch41: mc-4.5.51-kudzu.patch
W: mc patch-not-applied Patch30: mc-4.5.51-time.patch
W: mc patch-not-applied Patch21: samba-ia64.patch
W: mc patch-not-applied Patch20: mc-4.5.42-fixsh.patch
W: mc patch-not-applied Patch26: mc-4.5.51-stderr.patch
W: mc patch-not-applied Patch25: mc-4.5.51-showagain.patch
W: mc patch-not-applied Patch24: mc-4.5.51-initscript.patch
W: mc patch-not-applied Patch29: mc-4.5.51-fixrescan.patch
W: mc patch-not-applied Patch28: mc-4.5.51-extention.patch

is this bad?
(these appear to be commented out in the spec file)

a freshen also gave the following warning:

warning: user vcsa does not exist - using root

Other than that, builds and installs ok.

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl7tDSY7s7uPf/IURAs3vAJ95PASP290rbM7VH4UHvmLNaUahrwCcDYhE
biYjRwai+M1hb73fsYPcrJA=
=SrHr
-----END PGP SIGNATURE-----



------- Additional Comments From dwb7.edu 2004-05-04 06:39:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

md5sum of the SRPM I rebuilt:

d037f8f2f32e63bd0a286a6cb8517004  mc-4.5.55-7.legacy.src.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl8c6SY7s7uPf/IURAj+aAKDdwyCAT7D0D/FSDCm/ntqTvlu7cACdHSSS
INS/ubbLuMkjjrlM77YICKw=
=bGic
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7.edu 2004-05-05 10:43:50 ----

Here's the file that it attempts to set to the wrong permission.

vcsa /usr/lib/mc/bin/cons.saver



------- Additional Comments From jkeating 2004-05-18 18:54:15 ----

Hrm, I just released mc for the older patch, will add this one on top of the
packages and re-issue.



------- Additional Comments From jkeating 2004-06-16 17:42:56 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
cb94798809ae1c21c884591e1f3d0cab933edada 
7.3/updates-testing/SRPMS/mc-4.5.55-7.legacy.src.rpm
e5a3355aa808fb41e9d914eb2efb4b737723d157 
7.3/updates-testing/i386/mc-4.5.55-7.legacy.i386.rpm



------- Additional Comments From michael 2004-06-18 06:14:31 ----

Looks like there is a bug in the latest patch affecting autocomplete function.
I updated to mc-4.5.55-7.legacy.i386.rpm (from upates-testing) on RH 7.3. Now,
when I type some letters in command prompt and press Meta+Tab (Esc, Tab) - mc
(partially) completes the command, but it prints space instead of the last
completion symbol.

For example, when I type "lsat" in command line and press M-Tab, mc completes it
to "lsatt " instead of "lsattr".




------- Additional Comments From jonny.strom 2004-06-18 06:37:30 ----

Well I don't have this RH 7.3 machine anymore where I did the work on so can
someone else have a look at it? 



------- Additional Comments From michael 2004-06-19 01:15:12 ----

Well, the source of problem is in /src/complete.c (quoting part of
mc-security_CAN-2004-0226.patch):

---cut----------------------------------------------------------------
diff -ur ./src/complete.c ../mc-4.5.55/src/complete.c
--- ./src/complete.c Tue Jul 31 18:21:28 2001
+++ ../mc-4.5.55/src/complete.c  Sun May  2 16:21:26 2004
@@ -293,7 +293,7 @@
     if (!*env_p)
         return NULL;
     else {
-        char *temp = g_malloc (2 + 2 * isbrace + p - *env_p);
+        char *temp = g_malloc0 (2 + 2 * isbrace + p - *env_p);
                                                                                
   *temp = '$';
   if (isbrace)
@@ -837,6 +837,7 @@
       *p = 0;
   }
   strncpy (in->buffer + start, text, len - start + end);
+  in->buffer[start + len - start + end - 1] = '\0';
   in->point += len;
   update_input (in, 1);
   end += len;
---cut----------------------------------------------------------------


Quick fix is to remove second part of patch for /src/complete.c, 
to leave only:

---cut----------------------------------------------------------------
diff -ur ./src/complete.c ../mc-4.5.55/src/complete.c
--- ./src/complete.c Tue Jul 31 18:21:28 2001
+++ ../mc-4.5.55/src/complete.c  Sun May  2 16:21:26 2004
@@ -293,7 +293,7 @@
     if (!*env_p)
         return NULL;
     else {
-        char *temp = g_malloc (2 + 2 * isbrace + p - *env_p);
+        char *temp = g_malloc0 (2 + 2 * isbrace + p - *env_p);
                                                                                
   *temp = '$';
   if (isbrace)
---cut----------------------------------------------------------------


I'm not sure wether removing the line in question can compromise some security
added by the patch. It seems unlikely for the first look.




------- Additional Comments From marcdeslauriers 2004-06-19 13:59:06 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't think the offending code will affect security if it
is removed. Besides, it doesn't appear in Red Hat's patch for AS2.1,
and it is not in mc 4.6.0.

Here are rebuilt packages:

* Sat Jun 19 2004 Marc Deslauriers <marcdeslauriers> 4.5.55-8.legacy
- - Removed irrevelant complete.c part of CAN-2004-0226 to fix completion bug

633d88d6a1f93f1f8d1c9fc30a3aad2565b4d67e  mc-4.5.55-8.legacy.i386.rpm
e1a052acf6fe079ad4c3e1bc39c88898382bb703  mc-4.5.55-8.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/mc-4.5.55-8.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mc-4.5.55-8.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA1NMtLMAs/0C4zNoRAq2xAJ49TGu7aLlvjh4rOlzzd5aOT1HOCgCfXMvG
+iH3L7+yhvdn7TxfSp8/HnU=
=xgND
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-09-14 11:20:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
e1a052acf6fe079ad4c3e1bc39c88898382bb703  mc-4.5.55-8.legacy.src.rpm
 
changes since the updates-testing (comment #7) version are trivial;
package compiles and tab-completion seems to work normally
 
PUBLISH
 
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBR2CpyQ+yTHz+jJkRAs86AKC2hhpqQySy+wsHKSo6Ah5atCedbwCgnZfm
inkw2hLrfHH4olt8cKf6t5s=
=XlvE
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-20 14:09:36 ----

This bug has been superseded by bug 2009



------- Additional Comments From leonard.nl 2005-01-30 03:58:49 ----

Not really superseded. They need to be fixed both.

Compare RHEL 2.1 mc-4.5.51-36.4's patch 46 for a fix for CAN-2004-0226, -0231
and -0232. (http://rhn.redhat.com/errata/RHSA-2004-172.html)

Also see
http://www.ottolander.nl/mc-patches/fc1/jumbo.parts/mc-4.6.0-jumbo.tempfile.patch
for a fix for CAN-2004-0231. This is a split out from FC1's jumbo patch. Not
sure if this adds any relevant hunks.

All this effort when everybody could and should just update to CVS (the mc-4.6.1
PRE, not 4.6.1a branch) or 4.6.1 onces it comes out. <sigh>




------- Additional Comments From leonard.nl 2005-03-17 08:39:35 ----

Wrt comment #10:

Have you tried removing the "- 1"? Probably an off by one.

   strncpy (in->buffer + start, text, len - start + end);
   in->buffer[start + len - start + end - 1] = '\0';

was replaced by:

memcpy (in->buffer + start, text, len - start + end);

in CVS.




------- Additional Comments From michael 2005-03-18 21:15:49 ----

Leonard, you're right, it's off by one error. 
This patch fragment looks like some code auditor's overreaction on suspicous
line. Changed to memcpy() in CVS to not trigger suspiction again?

Anyway, leaving it in patch (with "- 1" removed) will do no harm.




------- Bug moved to this database by dkl 2005-03-30 18:24 -------

This bug previously known as bug 1548 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1548
Originally filed under the Fedora Legacy product and Package request component.
Bug depends on bug(s) 2405.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.