On September 10th 2004, Trustix shared some temporary file vulnerabilities with vendor-sec. After some refinement these were made public on Sep30. These are minor issues (impact: LOW) and therefore should be fixed in future updates, but don't deserve their own security advisory. Temporary file vulnerability in autopoint, gettextize scripts. Patch attached. These issues don't affect the scripts shipped with gettext in RHEL2.1, RHEL3.
Created attachment 105442 [details] Proposed patch (needs backporting)
[Bulk move of FC2 bugs to Fedora Legacy. See <http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
See also bug 152810
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Created package for FC2 using above patch. http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.14.1-2.1.1.legacy.src.rpm 88714980739f378a18a93d68fcf62b41bdc34660 gettext-0.14.1-2.1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDV4fxKe7MLJjUbNMRAqndAJ4iEIp3awHSHUeP2ny2RurV3A2LqACeIPqJ 2ZPfFt0753pLyKR06sXQaTw= =MEP4 -----END PGP SIGNATURE-----
Does this affect FC1? If it doesn't affect RHEL3/2.1, I guess it doesn't affect RHL73/9.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looking at the other bug, I had assumed that FC1 was not vulnerable, but now that I look at it, it does have some (not all) of the patched code. I've patched the similar parts of code as were patched for FC2, and there is a FC1 package here: http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.12.1-1.1.legacy.src.rpm 8de2ebe8e6299c5b3b17d2c2a6f85686f5c07e23 gettext-0.12.1-1.1.legacy.src.rpm I'll double check on the rh7 & rh9 packages later just to be sure that they don't need to be patched. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDWM7cKe7MLJjUbNMRAsCuAJ93b3u6DPWUOXNSII6raGSttgOwdACeO3EK ta9xpnl0TJPnrph6eKNTWoc= =lpfB -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Redhat 7.3 doesn't have any of the vulnerable code. RH9 does have some of it, so I've patched what's there that appears to be vulnerable. Here's the RH9 package: http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.11.4-7.1.legacy.src.rpm 52c7f683312d53c41cc046b8109dd073b122d3d5 gettext-0.11.4-7.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDWRg0Ke7MLJjUbNMRAvHTAKCQnL1FpwgEouo5OmvPkCOikRWNpgCcDxWK pw8EpQMVCGtpAVhZXQC8kTQ= =a7Iy -----END PGP SIGNATURE-----
Thanks for the investigation. Unless someone jumps in, I'll do QA for these shortly..
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - 0.14 patch verified to be the same as RHEL proposal and in Gentoo; 0.12 removes a subset, 0.11 almost all. Should be OK. I noted one typo in 0.11 patch: +if [ $? -ne 0 ]; then + echo "ERROR making $workd_dir" + exit 1 +fi s/workd_dir/work_dir/ This can be fixed at build time, I think. +PUBLISH RHL9, FC1, FC2 52c7f683312d53c41cc046b8109dd073b122d3d5 gettext-0.11.4-7.1.legacy.src.rpm 8de2ebe8e6299c5b3b17d2c2a6f85686f5c07e23 gettext-0.12.1-1.1.legacy.src.rpm 88714980739f378a18a93d68fcf62b41bdc34660 gettext-0.14.1-2.1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDXHdmGHbTkzxSL7QRAuFQAKDWp3W3R2K1lUK9rWgimFhoJciuEACfXvLd /mw+pVBt89Hz1nSPI+fV1wI= =C2Uo -----END PGP SIGNATURE-----
Thanks, Pekka. Marc, if you want me to resubmit the 0.11 package (without the typo), let me know.
Packages were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9: signature OK, upgrades OK, rebuilding a couple of src.rpm's using gettext works fine. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDi0wiGHbTkzxSL7QRAohhAJ9Wp9uRwEVNLFr8IJ7//HndPs/DkACgmG0j /729E1CaT5KvL+EYinWrKjw= =5Rni -----END PGP SIGNATURE-----
Timeout over.
Packages were released to updates