Bug 838162

Summary: CVE-2012-3381 sblim-sfcb: insecure LD_LIBRARY_PATH usage [epel-5]
Product: [Fedora] Fedora EPEL Reporter: Kurt Seifried <kseifried>
Component: sblim-sfcbAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: el5CC: pj.pandit, praveen_paladugu, srinivas_g_gowda, vcrhonek
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: fst_owner=pjp
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-29 12:19:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 838160    

Description Kurt Seifried 2012-07-06 21:44:22 UTC 
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs).  Please mention the CVE IDs being fixed
in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=838160

epel-5 tracking bug for sblim-sfcb: see blocks bug list for full details of the security issue(s).

[bug automatically created by: add-tracking-bugs]
Comment 1 pjp 2014-11-01 10:11:33 UTC 
The patch seems to be available since long

 -> http://sourceforge.net/p/sblim/bugs/2499/#eadb

Could you please have a look?
Comment 2 Vitezslav Crhonek 2014-11-06 14:30:04 UTC 
Well, fixing this issue doesn't make much sense to me:

1) I wonder why sblim-sfcb is in EPEL, it's part of RHEL for longer time. Shouldn't it be removed from EPEL then? (I wasn't able to find it in Fedora packaging guidelines.)

2) low/low and it's resolved by using systemd in recent Fedora/RHEL releases.

But okay, if you're interested...
Comment 3 Fedora Update System 2014-11-06 14:36:59 UTC 
sblim-sfcb-1.3.8-2.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/sblim-sfcb-1.3.8-2.el5
Comment 4 pjp 2014-11-06 15:02:28 UTC 
  Hello Vitezslav,

(In reply to Vitezslav Crhonek from comment #2)
> Well, fixing this issue doesn't make much sense to me:
> 
> 1) I wonder why sblim-sfcb is in EPEL, it's part of RHEL for longer time.
> Shouldn't it be removed from EPEL then? (I wasn't able to find it in Fedora
> packaging guidelines.)

  Yes, if the package is available via RHEL, it makes sense to retire it from EPEL repository.

  -> https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life

Please do retire it from EPEL.

Thank you.
Comment 5 Fedora Update System 2014-11-09 15:39:17 UTC 
Package sblim-sfcb-1.3.8-2.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing sblim-sfcb-1.3.8-2.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3849/sblim-sfcb-1.3.8-2.el5
then log in and leave karma (feedback).
Comment 6 pjp 2014-11-13 14:29:09 UTC 
  Hello Vitezslav,

Did you have chance to file for its retirement from epel-5?
Comment 7 Vitezslav Crhonek 2014-11-13 15:05:50 UTC 
Hi,

thanks for reminder, done.
Comment 8 pjp 2016-08-29 12:19:05 UTC 
EL5 branch has been retired.
  -> https://admin.fedoraproject.org/pkgdb/package/rpms/sblim-sfcb/

Closing this bug.