It was reported [1] that the OAuth implementation in librest, a helper library for RESTful services part of the GNOME project, incorrectly truncates the pointer returned by the rest_proxy_call_get_url function call, leading to an application crash, or worse. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=742644 Commit: https://git.gnome.org/browse/librest/commit/?id=b50ace7738ea038 [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1183982
Created rest tracking bugs for this issue: Affects: fedora-all [bug 1204682]
Vasyl: why is this a bug in Fedora? The commit referenced landed upstream in September 2015, we're running 0.7.93 across all current Fedora releases (21 ->24) which was released with the fix in March 2015. It's also referenced in comment 2 [1] in the upstream bug that this was fixed upstream [1] https://bugzilla.gnome.org/show_bug.cgi?id=742644#c2
(In reply to Peter Robinson from comment #3) > Vasyl: why is this a bug in Fedora? > > The commit referenced landed upstream in September 2015, we're running > 0.7.93 across all current Fedora releases (21 ->24) which was released with > the fix in March 2015. It's also referenced in comment 2 [1] in the upstream > bug that this was fixed upstream > > [1] https://bugzilla.gnome.org/show_bug.cgi?id=742644#c2 Peter, it was an issue for Fedora when this flaw bug was filed, see https://bugzilla.redhat.com/show_bug.cgi?id=1204682 (Fedora security tracker bug for this issue). I.e. - Fedora was affected, the problem was resolved in BZ 1204682, no further actions required from Fedora side. Hope this answers your question.
Not sure why I only just got alerts then, all of the emails dated a few days ago, didn't take note of the dates in the actual BZ bits above
(In reply to Peter Robinson from comment #5) > Not sure why I only just got alerts then, all of the emails dated a few days > ago, didn't take note of the dates in the actual BZ bits above Hi Peter, CVE/Flaw bugs are not supposed to be closed until all affected products are fixed. May be you wanted to close bug that was opened for Fedora.
> CVE/Flaw bugs are not supposed to be closed until all affected products are > fixed. May be you wanted to close bug that was opened for Fedora. Close what ever ones you want, it's not a problem in Fedora.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2237 https://rhn.redhat.com/errata/RHSA-2015-2237.html