Bug 19283
Summary: | compat-egcs-5.2 cannot co-exist with compat-egcs-6.2 | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Ronald Cole <ronald> |
Component: | compat-egcs | Assignee: | Jakub Jelinek <jakub> |
Status: | CLOSED DEFERRED | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2000-10-17 22:26:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ronald Cole
2000-10-17 20:13:15 UTC
Just to clarify: compat-egcs-6.2 is *not* an update to compat-egcs-5.2. They are separate and distinct compatibility packages: thus "rpm -i" and "rpm -U" do the "wrong thing". The packages should properly be called compat-egcs52 and compat-egcs62 so that they can co-exist and rpm will do the "right thing" with them and their ilk. Also, it would be wise to apply the recent security fixes to compat-glibc-5.2. You can rpm2cpio compat-*-5.2 | cpio -id into the system. We'll consider putting the version into the compat names for future distributions. As for security fixes to compat-glibc-5.2, all of the security issues were related to setuid/setgid programs. But running dynamicaly linked setuid/setgid program using /usr/*-glibc20-linux/lib/ld-linux.so.2 does not honour those setuid/setgid bits (because you get rights of ld-linux.so.2, not the actual program you're running) and thus in order to exploit the bug you'd either have to explicitely put the /usr/*-glibc20-linux/lib/ld-linux.so.2 interpreter into the binary (but why would anyone do that) or link statically (again, I see no reason compiling setuid/setgid statically linked programs against compatibility libraries). I was referring to the glibc locale and internationalization security checks errata. In the words of the errata, "It is highly probable that some of these bugs can be used for local root exploits." If you do change your mind and issue an errata for the compat-*-5.2 packages (hopefully changing the names to compat-*52), then please consider adding the fix for bug #19289. All the bugs fixed by that security errata were only relevant to setuid/setgid programs, see above why I don't think this matters in the compat library. |