Two issues with mc have been reported to the Debian BTS. You can find more information here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295261
This issue should also affect RHEL2.1
Please compare https://bugzilla.fedora.us/show_bug.cgi?id=2405 and http://www.debian.org/security/2005/dsa-639 (mc CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175 and CAN-2004-1176). These issues all affect mc <= 4.5.55. CAN-2004-1004, -1005 and 1176 affect mc-4.6.0. These issues do *not* affect RHEL 4. Sorry for not opening a bug report for RHEL 2.1 for this. Too busy with Fedora Legacy (RHL 7.3).
Fixed in CVS. ChangeLog says: - port patch for CAN-2004-1176 from upstream CVS - port from fedora legacy - Leonard den Ottolander (#148864): - CAN-2004-1004 - clean - CAN-2004-1005 - drop charsets.c, boxes.c, cpio.c hunks, fixed in 4.5.51, port sfs.c and key.c Leonard, please let me know if you want the patches for 4.5.51.
CAN-2004-1004 Multiple format string vulnerabilities in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact. CAN-2004-1005 Multiple buffer overflows in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact. CAN-2004-1176 Buffer underflow in extfs.c in Midnight Commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-217.html
What about CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092, CAN-2004-1093, CAN-2004-1174 and CAN-2004-1175 ?? Those issues affect mc <= 4.5.55 so they should also be fixed for RHEL 2.1. It seems you think only CAN-2004-1004, CAN-2004-1005 and CAN-2005-1176 are relevant for RHEL 2.1. This is a false assumption.
The full advisory for Debian features these bugs: * CAN-2004-1004 Multiple format string vulnerabilities * CAN-2004-1005 Multiple buffer overflows * CAN-2004-1009 One infinite loop vulnerability * CAN-2004-1090 Denial of service via corrupted section header * CAN-2004-1091 Denial of service via null dereference * CAN-2004-1092 Freeing unallocated memory * CAN-2004-1093 Denial of service via use of already freed memory * CAN-2004-1174 Denial of service via manipulating non-existing file handles * CAN-2004-1175 Unintended program execution via insecure filename quoting * CAN-2004-1176 Denial of service via a buffer underflow
Leonard, thanks for noticing this. Josh, do we need to open another bug for the noted CANs?
Jindrich, Yes we'll want to open a new bug for all these issues. We also need to figure out what these are and find some fixes. Do you know if/when upstream has fixed these?
CAN-2004-1009: mc-4.5.51 (RHEL2.1) vulnerable, FC3/devel versions unaffected (gnome support dropped) CAN-2004-1090: mc-4.5.51 (RHEL2.1) vulnerable, patch applied in FC3/devel mc version CAN-2004-1091: mc-4.5.51 (RHEL2.1) vulnerable, FC3/devel versions unaffected (gnome support dropped) CAN-2004-1092: mc-4.5.51 (RHEL2.1) NOT vulnerable -> no implementation for mc_mkstemps(), FC3/devel versions unaffected (no gnome support, fixed implementattion of mc_mkstemps) CAN-2004-1093: mc-4.5.51 (RHEL2.1) vulnerable, FC3/devel mc unaffected CAN-2004-1174: mc-4.5.51 (RHEL2.1) vulnerable, FC3/devel mc unaffected CAN-2004-1175: mc-4.5.51 (RHEL2.1) vulnerable, FC3/devel mc unaffected Josh, could you please open a new bug for this? Note that only RHEL2.1 mc is affected. Closing ERRATA again because the CANs reported by the original bugreport are resolved and erratum is released.
Josh, Just follow the pointers that I put in comment #2. See the SRPM for RHL 7.3 or dig into Debian's patch archive to extract the appropriate patches. They are clearly commented, but IIRC they are diffs of diffs.