Description of problem: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023 Version-Release number of selected component (if applicable): mc-4.6.0-6 How reproducible: every time download link from here: http://mail.edunet.ru/Lists/bugtraq.securityfocus.com/Message/326.html run mc, select that file. mc in fc1 or rhl9 or rhl8 crashes shouldn't crash - the crash is the overflow. apply patch from here: http://linux.duke.edu/~skvidal/RPMS/fedoralegacy/mc/mc-vfs-tar-symlink.patch presto, it works. I'll attach the patch and the spec file change.
not attaching to bugzilla - easier to link to the srpm http://linux.duke.edu/~skvidal/RPMS/fedoralegacy/mc/mc-4.6.0-7.src.rpm
Created attachment 97071 [details] mc.spec.patch Package cleanups including Seth's work. This is mainly to serve as an example of package cleanup for the benefit of other packagers.
1. is it normal to remove someone else's changelog entries? 2. this practice of adding the version number at the end of your name on the changelog line is completely ridiculous no matter who does it. the reason, rpm headers have 3 fields: changelogname, changelogtime, changelogtext. when you put the version at the end of your name the version is put into changelogname. If you want to include the version it should be in changelogtext not in changelogname.
> 1. is it normal to remove someone else's changelog entries? For RH packages yes it has been when importing external changes in the past. I was careful to keep your name as part of the credits. In the future I suppose that needs to change because external contributions will become the norm. I personally changed it mainly to reduce the amount of new stuff going into that changelog. > 2. this practice of adding the version number at the end of your > name on the changelog line is completely ridiculous no matter who > does it. Discuss it on the list. fedora.us has been requiring that for the past year, while RH has doing it in most cases. I am not about to change now unless the entire group agrees on it.
1. Boy that seems odd to me given that my name is all over the vsftpd changelog. rpm -q --changelog vsftpd and tell me what you see. 2. I will.
1. It wasn't a policy. I just noticed it was done to me a dozen times in various packages.
Fixed in FEDORA-2004-058.