Bug 152705 - mc CAN-2004-0226, CAN-2004-0231, CAN-2004-0232
Summary: mc CAN-2004-0226, CAN-2004-0231, CAN-2004-0232
Status: CLOSED DUPLICATE of bug 152889
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: mc
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: https://rhn.redhat.com/errata/RHSA-20...
Whiteboard: LEGACY, rh73
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-04-30 18:50 UTC by Barry K. Nathan
Modified: 2014-01-21 22:51 UTC (History)
4 users (show)

Clone Of:
Last Closed: 2005-05-16 12:02:12 UTC

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:24:39 UTC
This is discussed for Red Hat 9 in RHSA-2004-173 (linked from this bug).

I do not know whether these vulnerabilities affect Red Hat 7.2 through 8.0.

------- Additional Comments From skvidal@phy.duke.edu 2004-04-30 20:18:33 ----

boy - those cve reports are _really_ helpful.

------- Additional Comments From jonny.strom@netikka.fi 2004-05-02 04:19:25 ----

An MC uppdate for rh 7.3 that is continued from  mc-4.5.55-6.legacy.src.rpm are
avalible. This backport is based on the Debian woody3 patch for mc-4.5.55. Basic
testing was done and mc is working as expected. 

Please QA and dowload from the uppdate from:


------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-04 05:48:39 ----

Hash: SHA1

rebuild source on 7.3

rpmlint shows the following patches not applied:

W: mc patch-not-applied Patch2: mc-4.5.35-fixwarning.patch
W: mc patch-not-applied Patch41: mc-4.5.51-kudzu.patch
W: mc patch-not-applied Patch30: mc-4.5.51-time.patch
W: mc patch-not-applied Patch21: samba-ia64.patch
W: mc patch-not-applied Patch20: mc-4.5.42-fixsh.patch
W: mc patch-not-applied Patch26: mc-4.5.51-stderr.patch
W: mc patch-not-applied Patch25: mc-4.5.51-showagain.patch
W: mc patch-not-applied Patch24: mc-4.5.51-initscript.patch
W: mc patch-not-applied Patch29: mc-4.5.51-fixrescan.patch
W: mc patch-not-applied Patch28: mc-4.5.51-extention.patch

is this bad?
(these appear to be commented out in the spec file)

a freshen also gave the following warning:

warning: user vcsa does not exist - using root

Other than that, builds and installs ok.

- -DWB
Version: GnuPG v1.0.7 (GNU/Linux)


------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-04 06:39:55 ----

Hash: SHA1

md5sum of the SRPM I rebuilt:

d037f8f2f32e63bd0a286a6cb8517004  mc-4.5.55-7.legacy.src.rpm

Version: GnuPG v1.0.7 (GNU/Linux)


------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-05 10:43:50 ----

Here's the file that it attempts to set to the wrong permission.

vcsa /usr/lib/mc/bin/cons.saver

------- Additional Comments From jkeating@j2solutions.net 2004-05-18 18:54:15 ----

Hrm, I just released mc for the older patch, will add this one on top of the
packages and re-issue.

------- Additional Comments From jkeating@j2solutions.net 2004-06-16 17:42:56 ----

Pushed to updates-testing:


------- Additional Comments From michael@neonweb.ru 2004-06-18 06:14:31 ----

Looks like there is a bug in the latest patch affecting autocomplete function.
I updated to mc-4.5.55-7.legacy.i386.rpm (from upates-testing) on RH 7.3. Now,
when I type some letters in command prompt and press Meta+Tab (Esc, Tab) - mc
(partially) completes the command, but it prints space instead of the last
completion symbol.

For example, when I type "lsat" in command line and press M-Tab, mc completes it
to "lsatt " instead of "lsattr".

------- Additional Comments From jonny.strom@netikka.fi 2004-06-18 06:37:30 ----

Well I don't have this RH 7.3 machine anymore where I did the work on so can
someone else have a look at it? 

------- Additional Comments From michael@neonweb.ru 2004-06-19 01:15:12 ----

Well, the source of problem is in /src/complete.c (quoting part of

diff -ur ./src/complete.c ../mc-4.5.55/src/complete.c
--- ./src/complete.c Tue Jul 31 18:21:28 2001
+++ ../mc-4.5.55/src/complete.c  Sun May  2 16:21:26 2004
@@ -293,7 +293,7 @@
     if (!*env_p)
         return NULL;
     else {
-        char *temp = g_malloc (2 + 2 * isbrace + p - *env_p);
+        char *temp = g_malloc0 (2 + 2 * isbrace + p - *env_p);
   *temp = '$';
   if (isbrace)
@@ -837,6 +837,7 @@
       *p = 0;
   strncpy (in->buffer + start, text, len - start + end);
+  in->buffer[start + len - start + end - 1] = '\0';
   in->point += len;
   update_input (in, 1);
   end += len;

Quick fix is to remove second part of patch for /src/complete.c, 
to leave only:

diff -ur ./src/complete.c ../mc-4.5.55/src/complete.c
--- ./src/complete.c Tue Jul 31 18:21:28 2001
+++ ../mc-4.5.55/src/complete.c  Sun May  2 16:21:26 2004
@@ -293,7 +293,7 @@
     if (!*env_p)
         return NULL;
     else {
-        char *temp = g_malloc (2 + 2 * isbrace + p - *env_p);
+        char *temp = g_malloc0 (2 + 2 * isbrace + p - *env_p);
   *temp = '$';
   if (isbrace)

I'm not sure wether removing the line in question can compromise some security
added by the patch. It seems unlikely for the first look.

------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-19 13:59:06 ----

Hash: SHA1

I don't think the offending code will affect security if it
is removed. Besides, it doesn't appear in Red Hat's patch for AS2.1,
and it is not in mc 4.6.0.

Here are rebuilt packages:

* Sat Jun 19 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 4.5.55-8.legacy
- - Removed irrevelant complete.c part of CAN-2004-0226 to fix completion bug

633d88d6a1f93f1f8d1c9fc30a3aad2565b4d67e  mc-4.5.55-8.legacy.i386.rpm
e1a052acf6fe079ad4c3e1bc39c88898382bb703  mc-4.5.55-8.legacy.src.rpm


Version: GnuPG v1.2.4 (GNU/Linux)


------- Additional Comments From ckelley@ibnads.com 2004-09-14 11:20:54 ----

Hash: SHA1
e1a052acf6fe079ad4c3e1bc39c88898382bb703  mc-4.5.55-8.legacy.src.rpm
changes since the updates-testing (comment #7) version are trivial;
package compiles and tab-completion seems to work normally
Version: GnuPG v1.2.4 (GNU/Linux)

------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-20 14:09:36 ----

This bug has been superseded by bug 2009

------- Additional Comments From leonard@den.ottolander.nl 2005-01-30 03:58:49 ----

Not really superseded. They need to be fixed both.

Compare RHEL 2.1 mc-4.5.51-36.4's patch 46 for a fix for CAN-2004-0226, -0231
and -0232. (http://rhn.redhat.com/errata/RHSA-2004-172.html)

Also see
for a fix for CAN-2004-0231. This is a split out from FC1's jumbo patch. Not
sure if this adds any relevant hunks.

All this effort when everybody could and should just update to CVS (the mc-4.6.1
PRE, not 4.6.1a branch) or 4.6.1 onces it comes out. <sigh>

------- Additional Comments From leonard@den.ottolander.nl 2005-03-17 08:39:35 ----

Wrt comment #10:

Have you tried removing the "- 1"? Probably an off by one.

   strncpy (in->buffer + start, text, len - start + end);
   in->buffer[start + len - start + end - 1] = '\0';

was replaced by:

memcpy (in->buffer + start, text, len - start + end);

in CVS.

------- Additional Comments From michael@neonweb.ru 2005-03-18 21:15:49 ----

Leonard, you're right, it's off by one error. 
This patch fragment looks like some code auditor's overreaction on suspicous
line. Changed to memcpy() in CVS to not trigger suspiction again?

Anyway, leaving it in patch (with "- 1" removed) will do no harm.

------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:24 -------

This bug previously known as bug 1548 at https://bugzilla.fedora.us/
Originally filed under the Fedora Legacy product and Package request component.
Bug depends on bug(s) 2405.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Leonard den Ottolander 2005-04-06 13:06:52 UTC
David, could you be so kind to remove that "leonard at" address from this entry
and replace it with "leonard-rh-bugzilla at" please?

Comment 2 Pekka Savola 2005-05-16 12:02:12 UTC
This is tracked in #152889.

*** This bug has been marked as a duplicate of 152889 ***

Note You need to log in before you can comment on or make changes to this bug.