Bug 152659 - elm security fix in rh7x
elm security fix in rh7x
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://av8.netikka.fi/~johnny/fedora_...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-21 07:03 EST by David Lawrence
Modified: 2007-04-18 13:22 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 18:43:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:23:04 EST
Security anonsment:
A buffer overflow vulnerability was found in the frm command.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0966

I did an ldd on the orginal binary files and the new binary files and they look
the same.

And here are the url to the security uppdates:
RH73:http://av8.netikka.fi/~johnny/fedora_legacy/rh73/elm-2.5.6-4.legacy.src.rpm
MD5SUM: bb59970198a89453c9e34471cc740178
PATCH: http://av8.netikka.fi/~johnny/fedora_legacy/rh73/elm-2.5.6-security.patch
MD5SUM: df64ee71302d39ebcd0d4b03c583f132



------- Additional Comments From bugs.michael@gmx.net 2004-01-21 09:21:59 ----

* I would suggest including "CAN-2003-0966" in the patch filename or at least as
a comment above "Patch5" in the spec file.

* Spec changelog entry is missing.

* As part of checking the build dependencies, I did a test build on rh73. Builds
fine. Extra test for rh72 is not needed. See below.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bb59970198a89453c9e34471cc740178  elm-2.5.6-4.legacy.src.rpm

* Applied patch for CAN-2003-0966 is syntactically and semantically
  correct and does not need any extra build test for rh72.

* There is no difference between the rh72 src.rpm (2.5.6-1) and
  the rh73 src.rpm (2.5.6-2) other than a bumped release due to
  a rebuild for rh73.

* src.rpm has NO signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFADtEQ0iMVcrivHFQRAs/FAKCApEkB2cBC10R4A8cP5nuLTfZXdACfSf9t
U9pAtzgy1Em/Mi3c36x+mz0=
=GdMR
-----END PGP SIGNATURE-----

* rpmdiff against rh73 elm-2.5.6-2.i386.rpm:

--- rpmlsv.old	Wed Jan 21 20:00:52 2004
+++ rpmlsv.new	Wed Jan 21 20:01:05 2004
@@ -3,12 +3,12 @@
 -rwxr-xr-x  root  root    350828  /usr/bin/elm
 -rwxr-xr-x  root  root     25241  /usr/bin/elmalias
 -rwxr-xr-x  root  root     21779  /usr/bin/fastmail
--rwxr-xr-x  root  root     47686  /usr/bin/frm
+-rwxr-xr-x  root  root     47718  /usr/bin/frm
 -rwxr-xr-x  root  root       824  /usr/bin/listalias
 -rwxr-xr-x  root  root       946  /usr/bin/messages
 -rwxr-xr-x  root  root     30209  /usr/bin/newalias
 -rwxr-xr-x  root  root     46567  /usr/bin/newmail
--rwxr-xr-x  root  root     47686  /usr/bin/nfrm
+-rwxr-xr-x  root  root     47718  /usr/bin/nfrm
 -rwxr-xr-x  root  root       449  /usr/bin/printmail
 -rwxr-xr-x  root  root      8571  /usr/bin/prlong
 -rwxr-xr-x  root  root     28003  /usr/bin/readmsg



------- Additional Comments From jonny.strom@netikka.fi 2004-01-21 09:58:42 ----

I added the changelog entry in the spec file togaher with "CAN-2003-0966" entry.

So new src RPM are located here:
RH73: http://av8.netikka.fi/~johnny/fedora_legacy/rh73/elm-2.5.6-4.legacy.src.rpm
MD5SUM: de1f2feee94ca7012806a5b6b5ac7013



------- Additional Comments From bugs.michael@gmx.net 2004-01-21 11:01:31 ----

I think the definition of "trust" is different with Fedora Legacy, hence I don't
set the publish keyword, but vote for publishing this one (release number
decision pending, see comment 1).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

2e0188e786b08b19cceefacdec08086f  elm-2.5.6-4.legacy.src.rpm

* src.rpm has NO signature
* diff against previous release 4 is good

++PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFADujs0iMVcrivHFQRAp77AKCCNTmjYHi+SrQIQVORjwpXgYOXqgCfRyaP
GiPEs+mplJOeftAe0NECgN4=
=HQ1V
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-01-21 15:27:38 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

md5sum of package in comment #2 does not match.

7.3

2e0188e786b08b19cceefacdec08086f  elm-2.5.6-4.legacy.src.rpm

+ echo 'Patch #5 (elm-2.5.6-security.patch):'
Patch #5 (elm-2.5.6-security.patch):
+ patch -p1 -b --suffix .security -s

Builds fine.  installs fine.  Basic functionality test works.

7.2 builds fine as well.

Second vote for publish, I'll dump them into updates-testing tonight.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFADyZ54v2HLvE71NURAssKAJ4oWPQoze3+GqfzwKzzpSzapTh0tQCfaIfv
Z8G3hZVREyHV66rYqiUlYXA=
=Yitp
-----END PGP SIGNATURE-----



------- Additional Comments From bugs.michael@gmx.net 2004-01-22 00:40:07 ----

* rh73:

Packages in updates-testing are not signed.

$ rpm -Kv elm-2.5.6-4*
elm-2.5.6-4.legacy.i386.rpm:
MD5 sum OK: 434501ddc22e78fc65ddad28988532fa
elm-2.5.6-4.legacy.src.rpm:
MD5 sum OK: 1d028a131906e83a9e16a9f679d8e064

Else they are okay based on similar checks as before.

* rh72:

elm-2.6.5-1.i386.rpm binaries are stripped
elm-2.6.5-3.legacy.i386.rpm binaries are not stripped

Someone with access to an up-to-date rh72 please check whether rebuilding
elm-2.6.5-1.src.rpm (the one shipped by Red Hat) ends up with binaries not stripped.




------- Additional Comments From jkeating@j2solutions.net 2004-01-22 06:03:19 ----

Signed the packages.  stupid manual process. (more like stupid me).  I'll
investigate the strip issue today.



------- Additional Comments From bugs.michael@gmx.net 2004-01-22 07:03:25 ----

* The "not stripped" check on rh72 is only to rule out any problems with the
rh72 build system. Binaries on rh73 are not stripped by default, too.

* Packages VERIFIED. If nobody does an extra verification on rh72, this should
suffice. Afterall, it's just a strcppy/strncpy patch.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

8b8664d6ee503f6f02d52c6130f62409  elm-2.5.6-3.legacy.i386.rpm
c0518db4692489c595a4b488e85414c4  elm-2.5.6-3.legacy.src.rpm

ae2caf9a0e8f25377888fc722925255e  elm-2.5.6-4.legacy.i386.rpm
673a1ac7a002df46bc0c59020b70048a  elm-2.5.6-4.legacy.src.rpm


rh73:

  --- rpmlsv.elm-2.6.5-2.i386.rpm
  +++ rpmlsv.elm-2.6.5-4.legacy.i386.rpm
  @@ -3,12 +3,12 @@
   -rwxr-xr-x  root  root    350828  /usr/bin/elm
   -rwxr-xr-x  root  root     25241  /usr/bin/elmalias
   -rwxr-xr-x  root  root     21779  /usr/bin/fastmail
  --rwxr-xr-x  root  root     47686  /usr/bin/frm
  +-rwxr-xr-x  root  root     47718  /usr/bin/frm
   -rwxr-xr-x  root  root       824  /usr/bin/listalias
   -rwxr-xr-x  root  root       946  /usr/bin/messages
   -rwxr-xr-x  root  root     30209  /usr/bin/newalias
   -rwxr-xr-x  root  root     46567  /usr/bin/newmail
  --rwxr-xr-x  root  root     47686  /usr/bin/nfrm
  +-rwxr-xr-x  root  root     47718  /usr/bin/nfrm
   -rwxr-xr-x  root  root       449  /usr/bin/printmail
   -rwxr-xr-x  root  root      8571  /usr/bin/prlong
   -rwxr-xr-x  root  root     28003  /usr/bin/readmsg


rh72: ---no rh72 system to test this on---

elm-2.6.5-3.legacy.i386.rpm installs and works on rh73 (!) and looks
good with regard to package contents and dependencies.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAEALd0iMVcrivHFQRAnJ8AJ9jVb0zxzuAPZaIDBY4vdtzkg97hgCbBTr/
XStFV9uOU27L6CScokf7hqc=
=RV+9
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom@netikka.fi 2004-01-22 07:06:39 ----

I have downloaded the test version of elm and from my testing so dose it work ok
on RH 7.3.



------- Additional Comments From jkeating@j2solutions.net 2004-01-22 07:42:02 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Packages published to download.fedoralegacy.org updates-testing

http://download.fedoralegacy.org/redhat/

638ec1d1bee210ac094a9264a09c4aba24708620 
7.2/updates-testing/SRPMS/elm-2.5.6-3.legacy.src.rpm
58e7d0bbb603585ea19fd7a25abe2375e3e1d991 
7.2/updates-testing/i386/elm-2.5.6-3.legacy.i386.rpm
 
29d060d14c7fda79e26db4a8b5022e4f74efb826 
7.3/updates-testing/SRPMS/elm-2.5.6-4.legacy.src.rpm
1146719b902bee3221cc8fdd571675497cd602bd 
7.3/updates-testing/i386/elm-2.5.6-4.legacy.i386.rpm

Pleae Verify in production.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAEAr24v2HLvE71NURAgZQAJ9AfrOiuvf2H1yK3hlO4k8vmYTRlwCfQFty
Ru8CP1bKHs8D8bhXyAw4G+s=
=/v/W
-----END PGP SIGNATURE-----



------- Additional Comments From bugs.michael@gmx.net 2004-01-22 09:17:00 ----

> Pleae Verify in production.

Again? What results do you expect from continued testing? IMO, you are carrying
too far with this release procedure. The applied patch is a simple
strcpy/strncpy replacement which does not have any side-effects. This is a
trivial security update. This one shouldn't take days to get the fix published.
It's not worth it. Other issues need more attention.

[If you have doubts that something might be wrong with the rh72 build, rebuild
the previous src.rpm (release '1') and do a diff on the resulting binary rpm
against the '3' legacy release. Should look similar as in comment 7.]




------- Additional Comments From bugs.michael@gmx.net 2004-01-22 09:19:41 ----

Oh, btw, something's wrong with your MD5 digests in comment 9. Why are they
different from those in my comment 7?




------- Additional Comments From jkeating@j2solutions.net 2004-01-22 09:23:05 ----

Comment #10>

I thought that was what the procedure was.  Test the build stuff during QA, push
to updates-testing.  Once in updates-testing, test in production and if a vote
of Verified is given, then push to full updates.  We have done the QA->PUBLISH
step, all that is missing is VERIFIED in production.  This was based on
conversations with Warren.  Is this not the correct policy?

Comment #11> 

Thats because they aren't md5 sums, they are sha1sums, which is a stronger
checksum less prone to birthday attacks and such.  sha1sums will be the policy
for Fedora Legacy related packages.



------- Additional Comments From jkeating@j2solutions.net 2004-01-22 09:26:05 ----

d'oh, saw your verified vote.  My bad.  I'll draft up a release announcement
today and publish it.  I was looking for "VERIFIED" in the keywords, realize now
that this is the wrong place to look.



------- Additional Comments From bugs.michael@gmx.net 2004-01-22 09:41:42 ----

Ok, SHA1 then. Everywhere else in this ticket, it was MD5. ;)

> I was looking for "VERIFIED" in the keywords,

VERIFIED is not a keyword, it's a bugzilla ticket status:
https://bugzilla.fedora.us/bug_status.html

Notice the "Mark bug as VERIFIED" below the "Additional Comments" text box.

I would have changed the bug to "verified" if this was fedora.us, not fedora legacy.




------- Additional Comments From jkeating@j2solutions.net 2004-01-22 09:47:42 ----

Gotcha, sorry, was a bit confused.  I'll tag it verified and push the release
out tonight.  Thanks for the help!



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:23 -------

This bug previously known as bug 1230 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1230
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity critical. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was jonny.strom@netikka.fi.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.