Red Hat Bugzilla – Bug 113756
mc vulnerable to buffer exploit in vfs from archive files
Last modified: 2007-11-30 17:10:35 EST
Description of problem:
Version-Release number of selected component (if applicable):
download link from here:
run mc, select that file.
mc in fc1 or rhl9 or rhl8 crashes
shouldn't crash - the crash is the overflow.
apply patch from here:
presto, it works.
I'll attach the patch and the spec file change.
not attaching to bugzilla - easier to link to the srpm
Created attachment 97071 [details]
Package cleanups including Seth's work. This is mainly to serve as an example
of package cleanup for the benefit of other packagers.
1. is it normal to remove someone else's changelog entries?
2. this practice of adding the version number at the end of your name
on the changelog line is completely ridiculous no matter who does it.
the reason, rpm headers have 3 fields: changelogname, changelogtime,
when you put the version at the end of your name the version is put
If you want to include the version it should be in changelogtext not
> 1. is it normal to remove someone else's changelog entries?
For RH packages yes it has been when importing external changes in the
past. I was careful to keep your name as part of the credits. In the
future I suppose that needs to change because external contributions
will become the norm.
I personally changed it mainly to reduce the amount of new stuff going
into that changelog.
> 2. this practice of adding the version number at the end of your
> name on the changelog line is completely ridiculous no matter who
> does it.
Discuss it on the list. fedora.us has been requiring that for the
past year, while RH has doing it in most cases. I am not about to
change now unless the entire group agrees on it.
1. Boy that seems odd to me given that my name is all over the vsftpd
changelog. rpm -q --changelog vsftpd and tell me what you see.
2. I will.
1. It wasn't a policy. I just noticed it was done to me a dozen times
in various packages.
Fixed in FEDORA-2004-058.