The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. In some situations, the login program could use a pointer that had been freed and reallocated. This could cause unintentional data leakage. https://rhn.redhat.com/errata/RHSA-2004-056.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0080 Note, this only affects 7.2 ------- Additional Comments From bugs.michael 2004-02-03 07:09:08 ---- > this only affects 7.2 rh73: confirmed (the affected pwent2 patch is not applied in the spec file, and the fix is in the util-linux-2.11n code already). ------- Additional Comments From jkeating 2004-02-03 16:43:37 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have rebuilt the last errata package from Red Hat for RHL 7.2 and included the modified util-linux-2.11f-pwent2.patch from the RHEL 2.1 errata. Patch applies, package builds, ldd and rpm -ql matches. Files can be found here: http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-18.7.2.legacy.src.rpm http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-18.7.2.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/sha1sums -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAIF5E4v2HLvE71NURAg9RAJ0XFc+DR8O+dr0+87xz+2NOzNFDdACaA0NU T8eblBc7SxEMXDzMWAWCeQk= =CvwY -----END PGP SIGNATURE----- ------- Additional Comments From bugs.michael 2004-02-04 04:36:03 ---- * missing "Buildrequires: texinfo, gettext" ------- Additional Comments From jkeating 2004-02-04 06:20:40 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Added gettext and texinfo as buildreqs. Bumped the build up by one. http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-19.7.2.legacy.src.rpm http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-19.7.2.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/sha1sums -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAIR4Y4v2HLvE71NURAi59AJ4ovrppumCmvW0CC2CJjs9nXWRKowCgl8n8 UajM77Bqj5UXAcPg7hlmi7Q= =S1s5 -----END PGP SIGNATURE----- ------- Additional Comments From Freedom_Lover 2004-02-04 07:23:31 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 util-linux QA on Red Hat 7.2 using: http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-19.7.2.legacy.src.rpm http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/util-linux-2.11f-19.7.2.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/util-linux/7.2/sha1sums * sha1sums passes gpg verification * sha1sums match downloaded files * packages signed by Jesse Keating (j2Solutions) <jkeating> (gpg key 0xF13BD4D5) * source rpm differs from previous RH 7.2 release only by updated patch + spec * patch file matches the one from RHEL2.1AS[1] * package builds fine on RH 7.2 * ldd on binaries in /bin, /sbin, /usr/bin, /usr/games, and /usr/sbin match previous RH package * rpm -ql matches previous RH package * basic functionality tests pass and match those of previous RH release for the following commands (those included in login-utils, which are affected by the patch): /bin/login /sbin/agetty (not tested) /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/sbin/vipw [1] ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/util-linux-2.11f-20.4.src.rpm Vote PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQFAISwGuv+09NZUB1oRAmO1AKDgcr6tZKWnsRNtz5XqPufsoftPKgCg6rGQ KdVcMFhAAfxoe0Hj4Dip+VQ= =c0lC -----END PGP SIGNATURE----- ------- Additional Comments From Freedom_Lover 2004-02-05 07:54:03 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I almost hate to send this here, as it's a wider issue than just this bug... My previous entry fails to verify due to a line that was wrapped by bugzilla (the line with the ftp address of the RHEL2.1AS update, it should begin with just [1] ftp://...). I've seen Jesse ask about this elsewhere (in another bugzilla entry or on the mailing list). For these signatures to be useful, they have to be verifiable by others. There are two potential solutions I see: 1) disable the wrapping done by bugzilla or configure it to wrap at a much higher number of characters than it does now. 2) make sure all QA testers know about the line wrap issue and at what number of characters bugzilla will delightfully munge up their entry so they can keep under that number. Option 1 would be my preference but I don't know how feasible this is with bugzilla, epsecially since we're sharing bugzilla by the good graces of Warren and fedora.us. Option 2 is a small pain for QA testers, but it will work if it has to and everyone posting clearsiged entries knows about the issue. I already have my editor set to wrap at 78 or 80 characters, but there are times where a line gets longer than that (with URLs most often). Unless one of you guys has a quick and easy way of solving this, I'll try to post something to the mailing list so we can get a wider set of heads thinking about it. I think something has to be done or we're just making a mockery of signing posts. In the short term, does anyone know at what width bugzilla will wrap an entry? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQFAIoTvuv+09NZUB1oRAonHAJ9L/eO2zliDphdcFQStcfJniwWgNACfXv0p kTznz2QivFFsHPIbYblhoGE= =rKeu -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-02-11 21:02:35 ---- Pushed to updates-testing due to QA timeout. Please verify for full release. ------- Additional Comments From rostetter.edu 2004-02-26 05:59:38 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Downloaded util-linux-2.11f-19.7.2.legacy.i386.rpm from http://download.fedoralegacy.org/redhat/7.2/updates-testing/i386/ * Signaturei fingerprint checks out okay. * RPM commands says md5 gpg is okay. * Installed fine on 12 RH 7.2 machines. * Logins still work, everything seems fine. * Vote for publish... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAPheR4jZRbknHoPIRAmBYAKCEfhIFnzCbZ9178sjLOH6HRxIg0ACgtfMH kh81kNidlXIgZR52PNC8Agw= =sXoS -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:23 ------- This bug previously known as bug 1256 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1256 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.