http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0848

Previous src.rpm release of slocate was:

rh72: 2.6-1
rh73: 2.6-1
rh80: 2.6-4 (just rebuilt several times)

Fixed src.rpm:
http://xmms-fc.sf.net/slocate-2.6-5.src.rpm

Contains the patch from Red Hat's rh9 erratum:
ftp://updates.redhat.com/9/en/os/SRPMS/slocate-2.7-2.src.rpm



------- Additional Comments From bugs.michael 2004-01-22 11:13:05 ----

Alternatively the non-backport:
rh73: http://xmms-fc.sf.net/slocate-2.7-0.7.3.src.rpm

rh72: same package (release should become 0.7.2)
rh80: same package (release should become 0.8)

That is the rh9 erratum plus these fixes from me:

- Fix automake regeneration (adds buildreq autoconf,automake).
- Clear buildroot at beginning of %%install.
- Copyright->License, Prereq->Requires(pre,preun).

Built package works fine on rh73/rh80.

[...]

The difference between slocate 2.6 and slocate 2.7 is

+2.7 - Wanderlei Antonio Cavassin <cavassin.br> fixed a segfault
+      when a regular expression error occurs.
+    - Fixed the --regexp= option. It was not working properly.
+    - Added a minor patch added to the Debian version of slocate.
+    - Fix printf-is-a-macro issue (gcc 3.0).  Patch courtesy of 
+      rbradetich.
+    - Fixed a segfault when -r regex is used with an extra search string.

plus two small patches from Red Hat:

+* Thu Apr  3 2003 Bill Nottingham <notting> 2.6-9
+- initial fix for machines with unsigned char (#86257)
+
+* Wed Feb 19 2003 Bill Nottingham <notting> 2.6-8
+- add sfs to excludes in updatedb.conf (#54864)




------- Additional Comments From notting 2004-01-22 11:22:59 ----

Note that there are two segfault fixes in 2.7 that aren't in the RHL 9
addon-to-2.7 patch.



------- Additional Comments From bugs.michael 2004-01-22 11:36:19 ----

Could you rephrase that, please? What is missing in my 2.7-* src.rpm?




------- Additional Comments From notting 2004-01-22 11:37:53 ----

Nothing is missing in the 2.7-* RPM. But if you build 2.6 + the patch in the
RHL9 2.7 RPM, you're missing two fixes.



------- Additional Comments From bugs.michael 2004-01-22 11:42:18 ----

Of course. That's why I've asked for opinions whether to go the 2.6 route plus
patches (e.g. from Yarrow's slocate-2.6-10) or the 2.7 route. I don't see
anything wrong with the 2.7 route, except maybe the rh80 package could depend
specifically on automake 1.4.




------- Additional Comments From jkeating 2004-01-26 17:16:15 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
 
Given that RH has released slocate 2.7 for RHEL 2.1,
and very few things change according to Notting:
 
a) an ordering of operations to prevent a segfault
 
b) a check in reading the db to peacefully abort instead
of segfault
 
c) an internal function to make sure that the '-r' option
 works right
 
I think we're safe in bumping up to 2.7.  Please
QA the 2.7 rpm for PUBLISH.
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
 
iD8DBQFAFdl74v2HLvE71NURAoXxAJwP+N8q26Mnd7Elw/qZePbj8hItFACePRb1
DTp5ILa0IwTQSm1aB4BcU2U=
=tfnK
-----END PGP SIGNATURE-----



------- Additional Comments From Freedom_Lover 2004-01-28 11:23:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

slocate QA on Red Hat 7.3

using http://xmms-fc.sf.net/slocate-2.7-0.7.3.src.rpm
00ef79c33e65db1adde51f4dc2642177  slocate-2.7-0.7.3.src.rpm

* package is signed by Michael Schwendt <mschwendt.net> (0xB8AF1C54)
* source and patch files match those from RHEL2.1[1] and from dist site[2]
* detached gpg signature[3] from dist site verifies
* SPEC differs from previous RH SPEC only in ways detailed by %changelog
* packages builds fine on RH 7.3
* ldd on /usr/bin/slocate matches previous RH package
* subsequent updatedb and locate commands work as expected

* minor issue in SRPM, source URL is incorrect.  correct URL is:
    ftp://ftp.geekreview.org/slocate/src/slocate-2.7.tar.gz

[1] ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/slocate-2.7-1.src.rpm
[2] ftp://ftp.geekreview.org/slocate/src/slocate-2.7.tar.gz
[3] ftp://ftp.geekreview.org/slocate/slocate-2.7.tar.gz.sign

Vote PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iD8DBQFAGCkduv+09NZUB1oRAnMjAJ9f0lyU549x2YG1Z4rJxbnFpYwLTQCfZg6x
JbrOy43DYb3E7fl4OHRxuXo=
=08TF
-----END PGP SIGNATURE-----




------- Additional Comments From dawson 2004-02-03 07:31:29 ----

I have recompiled the source rpm from 
http://xmms-fc.sf.net/slocate-2.7-0.7.3.src.rpm
on a RedHat 7.3 machine.
It compiled without any problems, installed without any problems.
I ran the daily cron, and updated the database with no problems.  I was able to
do a 'locate', again with no problems.
I do not know how to exploit the security vulnerability, so I was unable to test
that.
I give it a thumbs up.
Troy Dawson



------- Additional Comments From skvidal.edu 2004-02-04 06:06:46 ----

I just pushed the 2.7 build out locally to 7.3 machines. Will let you know what
I see, if anything.



------- Additional Comments From heinlein.edu 2004-02-06 05:25:22 ----

I pushed slocate-2.7-1.8.0.legacy out to a half-dozen Red Hat 8.0
hosts. So far, everything works as expected.

Vote PUBLISH.



------- Additional Comments From warren 2004-02-07 14:37:44 ----

You folks are talking about totally different versions of this package and it is
very confusing.  Another point is that it is potentially dangerous to increment
the leftmost release number, especially in cases where Version is equal to newer
distributions.  We cannot create a situation where a dist upgrade will fail due
to package versions conflicting.  I will post to legacy list about this.




------- Additional Comments From bugs.michael 2004-02-07 15:58:14 ----

Package release versioning is okay. First packages of slocate 2.7 are 2.7-1 in
Red Hat Enterprise Linux 2.1 errata, 2.7-2 in Red Hat Linux 9 errata and 2.7-4
in Fedora Core 1 updates.




------- Additional Comments From bugs.michael 2004-02-07 16:00:52 ----

Though, I think, Jesse should have announced/linked his updates to -1.7.2,
-1.7.3 and -1.8.0 somewhere. ;)



------- Additional Comments From jpdalbec 2004-02-10 10:58:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFIED (RH 7.3)

eae25387e00a671974e0c43aa5b7f478dd04636f  slocate-2.7-1.7.3.legacy.i386.rpm

* passes basic functional tests
* ldd matches 2.6-1
* changelog dates are off-by-one relative to 2.6-1.  Different timezone?
* 2.6-1 requires libc.so.6(GLIBC_2.1.3). 2.7-1.7.3.legacy does not. Is this OK?
* multiple file changes due to version bump.

Differences in rpm -q --dump --state:
< normal /etc/updatedb.conf 140 2132d4bc1fa63e44cd92fb0ae40cdc8d 0100644 root \
root 1 0 0 X
< normal /usr/bin/locate 7 0120777 root slocate 0 0 19036 slocate
< normal /usr/bin/slocate 25020 4de85260e08fd5e1f8e27a0139e591ff 0102755 root \
slocate 0 0 0 X
- ---
> normal /etc/updatedb.conf 149 8ad5940250f80ab97b4a07398fc75752 0100644 root \
root 1 0 0 X
> normal /usr/bin/locate 7 0120777 root slocate 0 0 0 slocate
> normal /usr/bin/slocate 31318 d053ac719676fb3333a3adf1df7eec6a 0102755 root \
slocate 0 0 0 X
174,179c225,230
< normal /usr/share/doc/slocate-2.6 4096 040755 root root 0 0 19034 X
< normal /usr/share/doc/slocate-2.6/ChangeLog 5099 \
12639e2acdd5d0e2aba313777dd315b0 0100644 root root 0 1 0 X
< normal /usr/share/doc/slocate-2.6/INSTALL 455 \
3072d1062bf7ec84410e400b91e19573 0100644 root root 0 1 0 X
< normal /usr/share/doc/slocate-2.6/LICENSE 15094 \
9e668919b3a8ea961cc15983e1615f33 0100644 root root 0 1 0 X
< normal /usr/share/doc/slocate-2.6/MIRRORS 0 \
d41d8cd98f00b204e9800998ecf8427e 0100644 root root 0 1 0 X
< normal /usr/share/doc/slocate-2.6/README 8081 \
dcc1701e7494639ca55ee0f9b27ab6e6 0100644 root root 0 1 0 X
- ---
> normal /usr/share/doc/slocate-2.7 4096 040755 root root 0 0 0 X
> normal /usr/share/doc/slocate-2.7/ChangeLog 5521 \
e7c291bfde9335e26686ecba28df76b8 0100644 root root 0 1 0 X
> normal /usr/share/doc/slocate-2.7/INSTALL 455 \
3072d1062bf7ec84410e400b91e19573 0100644 root root 0 1 0 X
> normal /usr/share/doc/slocate-2.7/LICENSE 15094 \
9e668919b3a8ea961cc15983e1615f33 0100644 root root 0 1 0 X
> normal /usr/share/doc/slocate-2.7/MIRRORS 0 \
d41d8cd98f00b204e9800998ecf8427e 0100644 root root 0 1 0 X
> normal /usr/share/doc/slocate-2.7/README 8124 \
5afdcf0e2baeaf3d9c11077b2d63c720 0100644 root root 0 1 0 X
181,183c232,234
< normal /usr/share/man/man1/slocate.1.gz 1057 \
2efa907c94305130e546422948abbdc8 0100644 root root 0 1 0 X
< normal /usr/share/man/man1/updatedb.1.gz 664 \
02dec075e66089c3a1a9c72abb39e0a4 0100644 root root 0 1 0 X
< normal /var/lib/slocate 4096 040750 root slocate 0 0 19037 X
- ---
> normal /usr/share/man/man1/slocate.1.gz 1049 \
66339eec3d8fa790ce89abfe333b5b6f 0100644 root root 0 1 0 X
> normal /usr/share/man/man1/updatedb.1.gz 664 \
4543aecaec21bde42b7bd2398d33fa08 0100644 root root 0 1 0 X
> normal /var/lib/slocate 4096 040750 root slocate 0 0 0 X

Differences in rpm -qvl:
185c236
< -rw-r--r-- 1 root root 140    /etc/updatedb.conf
- ---
> -rw-r--r-- 1 root root 149    /etc/updatedb.conf
187c238
< -rwxr-sr-x 1 root slocate 25020       /usr/bin/slocate
- ---
> -rwxr-sr-x 1 root slocate 31318       /usr/bin/slocate
189,194c240,245
< drwxr-xr-x 2 root root 0      /usr/share/doc/slocate-2.6
< -rw-r--r-- 1 root root 5099   /usr/share/doc/slocate-2.6/ChangeLog
< -rw-r--r-- 1 root root 455    /usr/share/doc/slocate-2.6/INSTALL
< -rw-r--r-- 1 root root 15094  /usr/share/doc/slocate-2.6/LICENSE
< -rw-r--r-- 1 root root 0      /usr/share/doc/slocate-2.6/MIRRORS
< -rw-r--r-- 1 root root 8081   /usr/share/doc/slocate-2.6/README
- ---
> drwxr-xr-x 2 root root 0      /usr/share/doc/slocate-2.7
> -rw-r--r-- 1 root root 5521   /usr/share/doc/slocate-2.7/ChangeLog
> -rw-r--r-- 1 root root 455    /usr/share/doc/slocate-2.7/INSTALL
> -rw-r--r-- 1 root root 15094  /usr/share/doc/slocate-2.7/LICENSE
> -rw-r--r-- 1 root root 0      /usr/share/doc/slocate-2.7/MIRRORS
> -rw-r--r-- 1 root root 8124   /usr/share/doc/slocate-2.7/README
196c247
< -rw-r--r-- 1 root root 1057   /usr/share/man/man1/slocate.1.gz
- ---
> -rw-r--r-- 1 root root 1049   /usr/share/man/man1/slocate.1.gz

Differences in sha1sum:
203,214c254,265
< 4693bf4c678dad87772ad3390f57d9c5acd4837c  /etc/updatedb.conf
< b8eb409f47f2565d9deffa84d096aeade23bc2f2  /usr/bin/locate
< b8eb409f47f2565d9deffa84d096aeade23bc2f2  /usr/bin/slocate
< b8eb409f47f2565d9deffa84d096aeade23bc2f2  /usr/bin/updatedb
< 56ec3bb917c361f19908570d39fec4969044abee  \
/usr/share/doc/slocate-2.6/ChangeLog
< ec34b7ff59eb84d445b9c103aa82abd54307c804  /usr/share/doc/slocate-2.6/INSTALL
< 8d9268c26aad3c7b92f73afe68e923ea77dc6a43  /usr/share/doc/slocate-2.6/LICENSE
< da39a3ee5e6b4b0d3255bfef95601890afd80709  /usr/share/doc/slocate-2.6/MIRRORS
< 027f1781ce355e9ec5c30421d238a0960d351084  /usr/share/doc/slocate-2.6/README
< d767e363cadaf52a98e969995cd2f0da7b72d041  /usr/share/man/man1/locate.1.gz
< d767e363cadaf52a98e969995cd2f0da7b72d041  /usr/share/man/man1/slocate.1.gz
< 244f48358cf709789019c1c78aba6db2fba39fa4  /usr/share/man/man1/updatedb.1.gz
- ---
> a1617767af358d0d5ae8c9f536e9e025d09ec70d  /etc/updatedb.conf
> a74fe2c4375348cdd75942bb481d6847390c5bc3  /usr/bin/locate
> a74fe2c4375348cdd75942bb481d6847390c5bc3  /usr/bin/slocate
> a74fe2c4375348cdd75942bb481d6847390c5bc3  /usr/bin/updatedb
> 5477df1c72878c5fee4558af0e8e4048dfa8e817  \
/usr/share/doc/slocate-2.7/ChangeLog
> ec34b7ff59eb84d445b9c103aa82abd54307c804  /usr/share/doc/slocate-2.7/INSTALL
> 8d9268c26aad3c7b92f73afe68e923ea77dc6a43  /usr/share/doc/slocate-2.7/LICENSE
> da39a3ee5e6b4b0d3255bfef95601890afd80709  /usr/share/doc/slocate-2.7/MIRRORS
> cfe59ecd416dc44e724cc898f5009c5a31a806cb  /usr/share/doc/slocate-2.7/README
> ed2c45e3936b2439bbea0e8d8a9db3c8a16efb32  /usr/share/man/man1/locate.1.gz
> ed2c45e3936b2439bbea0e8d8a9db3c8a16efb32  /usr/share/man/man1/slocate.1.gz
> 712a75adf508301a3aa8e92d2cf38e719e0a82d5  /usr/share/man/man1/updatedb.1.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAKUgsJL4A+ldA7asRAtwOAKCxnWtjYNuslCzIjLjhL3nnKehdhgCgviqJ
ttVJPlCV5RltMfoK35x/TTQ=
=GrFR
-----END PGP SIGNATURE-----




------- Additional Comments From jpdalbec 2004-02-10 11:38:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFIED (RH 8.0)

a22d3b45922b0123a0ca9035dd9f66093d63651d  slocate-2.7-1.8.0.legacy.i386.rpm

* passes basic functional tests
* ldd matches 2.6-4
* changelog dates are off-by-one relative to 2.6-4.  Different timezone?
* 2.7-1.8.0.legacy requires libc.so.6(GLIBC_2.3). 2.6-4 does not. Is this OK?
* multiple file changes due to version bump.

(I won't bore you with the details this time.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAKVFpJL4A+ldA7asRAnN2AJwI+OvunFif2xhODf2Ub1BC/h7clACbBgv/
kKgDAOYVo29QO2MhDBEfWJE=
=fSW/
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-02-10 11:50:47 ----

In reply to comment 14:

Hint: try unified diffs, i.e. diff option -u, makes diffs much more readable.

That several of the files in /usr/share/doc are flagged as changed is due to
their different path, though: /usr/share/doc/slocate-2.6 =>
/usr/share/doc/slocate-2.7

> libc.so.6(GLIBC_2.1.3)

The package depends on glibc, _that_ is the important thing. rh73 has seen
glibc/gcc updates, btw.

> Different timezone?

Not following you here, I'm afraid.




------- Additional Comments From jpdalbec 2004-02-11 08:02:20 ----

Comparing the changelog sections of the output of my summary script:

::: cut here :::
--- summary.slocate-2.6-1.txt   Tue Feb 10 14:45:19 2004
+++ summary.slocate-2.7-1.7.3.legacy    Tue Feb 10 14:57:42 2004
...
@@ -34,29 +86,29 @@
 
 - update to 2.3; fixes database reading problem
 
-* Wed Aug 23 2000 Than Ngo <than>
+* Thu Aug 24 2000 Than Ngo <than>
 
 - add a default updatedb.conf (Bug #13475)
 
-* Wed Aug 23 2000 Jakub Jelinek <jakub>
+* Thu Aug 24 2000 Jakub Jelinek <jakub>
 
 - fix build with glibc defining DT_WHT but not defining S_IFWHT.
 
-* Sun Jul 23 2000 Nalin Dahyabhai <nalin>
+* Mon Jul 24 2000 Nalin Dahyabhai <nalin>
 
 - don't print a message telling how to rebuild the database if we're
   rebuilding the database
 
-* Wed Jul 12 2000 Prospector <bugzilla>
+* Thu Jul 13 2000 Prospector <bugzilla>
 
 - automatic rebuild
 
-* Thu Jun 22 2000 Bill Nottingham <notting>
+* Fri Jun 23 2000 Bill Nottingham <notting>
 
 - update to 2.2
 - fix it to not have debugging (oops)
 
-* Sat Jun 10 2000 Bill Nottingham <notting>
+* Sun Jun 11 2000 Bill Nottingham <notting>
 
 - rebuild, FHS manpages, etc.
 
@@ -72,51 +124,51 @@
 
 - handle compressed man pages
 
-* Thu Oct 21 1999 Bill Nottingham <notting>
+* Fri Oct 22 1999 Bill Nottingham <notting>
 
 - update to 2.1
 
-* Mon Oct 18 1999 Bill Nottingham <notting>
+* Tue Oct 19 1999 Bill Nottingham <notting>
 
 - fix a bug that was causing segfaults.
 
-* Mon Sep 20 1999 Bill Nottingham <notting>
+* Tue Sep 21 1999 Bill Nottingham <notting>
 
 - remove group database on final uninstall
 
-* Fri Sep 10 1999 Bill Nottingham <notting>
+* Sat Sep 11 1999 Bill Nottingham <notting>
 
 - add a note about creating the database if opening of it fails.
 
-* Tue Jul 06 1999 Bill Nottingham <notting>
+* Wed Jul 07 1999 Bill Nottingham <notting>
 
 - update to 2.0
 - use new -f (filesystem type) option to simplify cron script
 - link updatedb back to slocate to allow parsing of updatedb.conf
   config files
 
-* Mon Jun 14 1999 Bill Nottingham <notting>
+* Tue Jun 15 1999 Bill Nottingham <notting>
 
 - don't exclude VFAT partitions
 - add some docs
 
-* Tue Jun 01 1999 Jeff Johnson <jbj>
+* Wed Jun 02 1999 Jeff Johnson <jbj>
 
 - update to 1.6.
 - use /etc/cron.daily as /usr/bin/updatedb to more perfectly imitate the
   findutils updatedb.
 - exclude vfat partitions too (#3164).
 
-* Tue May 11 1999 Bill Nottingham <notting>
+* Wed May 12 1999 Bill Nottingham <notting>
 
 - update to 1.5
 - make database dir 0750
 
-* Mon Apr 19 1999 Bill Nottingham <notting>
+* Tue Apr 20 1999 Bill Nottingham <notting>
 
 - fix updatedb cron script
 
-* Mon Apr 12 1999 Bill Nottingham <notting>
+* Tue Apr 13 1999 Bill Nottingham <notting>
 
 - add updatedb as a link to slocate
 - add an updatedb man page
...
::: cut here :::

I can't imagine what would cause something like that unless maybe the changes
were being automatically assigned dates in two different timezones.



------- Additional Comments From bugs.michael 2004-02-11 10:26:04 ----

Ah! Can't reproduce that with an rpmdiff against rh80's slocate-2.6-4. So, it's
something that has happened at Red Hat sometime between rh73 and rh80. Unimportant.



------- Additional Comments From bugs.michael 2004-02-11 10:35:57 ----

Created an attachment (id=531)
rpmdiff 2.7-0.7.3 > 2.7-1.7.3

Note to Jesse, rh73 version would have two approvals (comment 7, comment 14 and
unsigned comment 8), if you had mentioned/linked your -1.7.3 release here
somewhere. Attached the rpmdiff between those two versions. IMHO, the rh72/rh80
packages ought not delay the rh73 version.



------- Additional Comments From jkeating 2004-02-11 19:33:24 ----

Whoops.  I thought I had mentioned that they were in updates-testing.  Guess I
didn't.  Given that we've had enough good feedback, I'm pusing these into updates.



------- Bug moved to this database by dkl 2005-03-30 18:23 -------

This bug previously known as bug 1232 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1232
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
rpmdiff 2.7-0.7.3 > 2.7-1.7.3
https://bugzilla.fedora.us/attachment.cgi?action=view&id=531

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity critical. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.