This is discussed for Red Hat 9 in RHSA-2004-173 (linked from this bug). I do not know whether these vulnerabilities affect Red Hat 7.2 through 8.0. ------- Additional Comments From skvidal.edu 2004-04-30 20:18:33 ---- boy - those cve reports are _really_ helpful. </sarcasm> ------- Additional Comments From jonny.strom 2004-05-02 04:19:25 ---- An MC uppdate for rh 7.3 that is continued from mc-4.5.55-6.legacy.src.rpm are avalible. This backport is based on the Debian woody3 patch for mc-4.5.55. Basic testing was done and mc is working as expected. Please QA and dowload from the uppdate from: http://av8.netikka.fi/~johnny/fedora_legacy/rh73/ http://213.250.83.8/~johnny/fedora_legacy/rh73/mc-4.5.55-7.legacy.i386.rpm 30ef9ae0073b20f9fd9290851de4d2f8 http://213.250.83.8/~johnny/fedora_legacy/rh73/mc-4.5.55-7.legacy.src.rpm d037f8f2f32e63bd0a286a6cb8517004 http://213.250.83.8/~johnny/fedora_legacy/rh73/mc-security_CAN-2004-0226.patch 160fc644722f754326dbcce57bd12cbc ------- Additional Comments From dwb7.edu 2004-05-04 05:48:39 ---- Hash: SHA1 rebuild source on 7.3 rpmlint shows the following patches not applied: W: mc patch-not-applied Patch2: mc-4.5.35-fixwarning.patch W: mc patch-not-applied Patch41: mc-4.5.51-kudzu.patch W: mc patch-not-applied Patch30: mc-4.5.51-time.patch W: mc patch-not-applied Patch21: samba-ia64.patch W: mc patch-not-applied Patch20: mc-4.5.42-fixsh.patch W: mc patch-not-applied Patch26: mc-4.5.51-stderr.patch W: mc patch-not-applied Patch25: mc-4.5.51-showagain.patch W: mc patch-not-applied Patch24: mc-4.5.51-initscript.patch W: mc patch-not-applied Patch29: mc-4.5.51-fixrescan.patch W: mc patch-not-applied Patch28: mc-4.5.51-extention.patch is this bad? (these appear to be commented out in the spec file) a freshen also gave the following warning: warning: user vcsa does not exist - using root Other than that, builds and installs ok. - -DWB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAl7tDSY7s7uPf/IURAs3vAJ95PASP290rbM7VH4UHvmLNaUahrwCcDYhE biYjRwai+M1hb73fsYPcrJA= =SrHr -----END PGP SIGNATURE----- ------- Additional Comments From dwb7.edu 2004-05-04 06:39:55 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 md5sum of the SRPM I rebuilt: d037f8f2f32e63bd0a286a6cb8517004 mc-4.5.55-7.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAl8c6SY7s7uPf/IURAj+aAKDdwyCAT7D0D/FSDCm/ntqTvlu7cACdHSSS INS/ubbLuMkjjrlM77YICKw= =bGic -----END PGP SIGNATURE----- ------- Additional Comments From dwb7.edu 2004-05-05 10:43:50 ---- Here's the file that it attempts to set to the wrong permission. vcsa /usr/lib/mc/bin/cons.saver ------- Additional Comments From jkeating 2004-05-18 18:54:15 ---- Hrm, I just released mc for the older patch, will add this one on top of the packages and re-issue. ------- Additional Comments From jkeating 2004-06-16 17:42:56 ---- Pushed to updates-testing: http://download.fedoralegacy.org/redhat/ cb94798809ae1c21c884591e1f3d0cab933edada 7.3/updates-testing/SRPMS/mc-4.5.55-7.legacy.src.rpm e5a3355aa808fb41e9d914eb2efb4b737723d157 7.3/updates-testing/i386/mc-4.5.55-7.legacy.i386.rpm ------- Additional Comments From michael 2004-06-18 06:14:31 ---- Looks like there is a bug in the latest patch affecting autocomplete function. I updated to mc-4.5.55-7.legacy.i386.rpm (from upates-testing) on RH 7.3. Now, when I type some letters in command prompt and press Meta+Tab (Esc, Tab) - mc (partially) completes the command, but it prints space instead of the last completion symbol. For example, when I type "lsat" in command line and press M-Tab, mc completes it to "lsatt " instead of "lsattr". ------- Additional Comments From jonny.strom 2004-06-18 06:37:30 ---- Well I don't have this RH 7.3 machine anymore where I did the work on so can someone else have a look at it? ------- Additional Comments From michael 2004-06-19 01:15:12 ---- Well, the source of problem is in /src/complete.c (quoting part of mc-security_CAN-2004-0226.patch): ---cut---------------------------------------------------------------- diff -ur ./src/complete.c ../mc-4.5.55/src/complete.c --- ./src/complete.c Tue Jul 31 18:21:28 2001 +++ ../mc-4.5.55/src/complete.c Sun May 2 16:21:26 2004 @@ -293,7 +293,7 @@ if (!*env_p) return NULL; else { - char *temp = g_malloc (2 + 2 * isbrace + p - *env_p); + char *temp = g_malloc0 (2 + 2 * isbrace + p - *env_p); *temp = '$'; if (isbrace) @@ -837,6 +837,7 @@ *p = 0; } strncpy (in->buffer + start, text, len - start + end); + in->buffer[start + len - start + end - 1] = '\0'; in->point += len; update_input (in, 1); end += len; ---cut---------------------------------------------------------------- Quick fix is to remove second part of patch for /src/complete.c, to leave only: ---cut---------------------------------------------------------------- diff -ur ./src/complete.c ../mc-4.5.55/src/complete.c --- ./src/complete.c Tue Jul 31 18:21:28 2001 +++ ../mc-4.5.55/src/complete.c Sun May 2 16:21:26 2004 @@ -293,7 +293,7 @@ if (!*env_p) return NULL; else { - char *temp = g_malloc (2 + 2 * isbrace + p - *env_p); + char *temp = g_malloc0 (2 + 2 * isbrace + p - *env_p); *temp = '$'; if (isbrace) ---cut---------------------------------------------------------------- I'm not sure wether removing the line in question can compromise some security added by the patch. It seems unlikely for the first look. ------- Additional Comments From marcdeslauriers 2004-06-19 13:59:06 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't think the offending code will affect security if it is removed. Besides, it doesn't appear in Red Hat's patch for AS2.1, and it is not in mc 4.6.0. Here are rebuilt packages: * Sat Jun 19 2004 Marc Deslauriers <marcdeslauriers> 4.5.55-8.legacy - - Removed irrevelant complete.c part of CAN-2004-0226 to fix completion bug 633d88d6a1f93f1f8d1c9fc30a3aad2565b4d67e mc-4.5.55-8.legacy.i386.rpm e1a052acf6fe079ad4c3e1bc39c88898382bb703 mc-4.5.55-8.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mc-4.5.55-8.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mc-4.5.55-8.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA1NMtLMAs/0C4zNoRAq2xAJ49TGu7aLlvjh4rOlzzd5aOT1HOCgCfXMvG +iH3L7+yhvdn7TxfSp8/HnU= =xgND -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-09-14 11:20:54 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 e1a052acf6fe079ad4c3e1bc39c88898382bb703 mc-4.5.55-8.legacy.src.rpm changes since the updates-testing (comment #7) version are trivial; package compiles and tab-completion seems to work normally PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBR2CpyQ+yTHz+jJkRAs86AKC2hhpqQySy+wsHKSo6Ah5atCedbwCgnZfm inkw2hLrfHH4olt8cKf6t5s= =XlvE -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-09-20 14:09:36 ---- This bug has been superseded by bug 2009 ------- Additional Comments From leonard.nl 2005-01-30 03:58:49 ---- Not really superseded. They need to be fixed both. Compare RHEL 2.1 mc-4.5.51-36.4's patch 46 for a fix for CAN-2004-0226, -0231 and -0232. (http://rhn.redhat.com/errata/RHSA-2004-172.html) Also see http://www.ottolander.nl/mc-patches/fc1/jumbo.parts/mc-4.6.0-jumbo.tempfile.patch for a fix for CAN-2004-0231. This is a split out from FC1's jumbo patch. Not sure if this adds any relevant hunks. All this effort when everybody could and should just update to CVS (the mc-4.6.1 PRE, not 4.6.1a branch) or 4.6.1 onces it comes out. <sigh> ------- Additional Comments From leonard.nl 2005-03-17 08:39:35 ---- Wrt comment #10: Have you tried removing the "- 1"? Probably an off by one. strncpy (in->buffer + start, text, len - start + end); in->buffer[start + len - start + end - 1] = '\0'; was replaced by: memcpy (in->buffer + start, text, len - start + end); in CVS. ------- Additional Comments From michael 2005-03-18 21:15:49 ---- Leonard, you're right, it's off by one error. This patch fragment looks like some code auditor's overreaction on suspicous line. Changed to memcpy() in CVS to not trigger suspiction again? Anyway, leaving it in patch (with "- 1" removed) will do no harm. ------- Bug moved to this database by dkl 2005-03-30 18:24 ------- This bug previously known as bug 1548 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1548 Originally filed under the Fedora Legacy product and Package request component. Bug depends on bug(s) 2405. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
David, could you be so kind to remove that "leonard at" address from this entry and replace it with "leonard-rh-bugzilla at" please?
This is tracked in #152889. *** This bug has been marked as a duplicate of 152889 ***