Tatsuya Kinoshita discovered a vulnerability in flim, an emacs library for
working with internet messages, where temporary files were created without
taking appropriate precautions. This vulnerability could potentially be
exploited by a local user to overwrite files with the privileges of the user
running emacs.



------- Additional Comments From bugs.michael 2004-05-08 04:32:26 ----

rh72: ? -> don't see "flim" in there

rh73 + rh80: flim 1.14.3 -> Debian's patch is for 1.14.3

rh9: patch applies cleanly, affected file hasn't changed between 1.14.3 and
1.14.4 -> http://riva.homelinux.org/~ms/rpms/flim-1.14.4-3.legacy.src.rpm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Red Hat Linux 9:

SHA1
820ddc800dc42a5509fdc5397a43670e2e0a0eee  flim-1.14.4-3.legacy.src.rpm
9556a81f4ebdd22a33ecf5e30afae7125ad807a7  mel-u.el.diff

b8d467949c89f589eda5792577b59d28a3f66a80  flim-1.14.4-3.legacy.noarch.rpm
27819396bb7f12ad3c07e50d466aa974f7b3a858  flim-xemacs-1.14.4-3.legacy.noarch.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAnO3A0iMVcrivHFQRAq9VAJ9VdRMjNZhygGZ5xs1MKe1UFn2qBwCgiEDB
faoMcVBVdWJB+HRCM2bczfk=
=8AON
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-05-08 04:34:17 ----

Created an attachment (id=655)
patch from Debian woody update




------- Additional Comments From jonny.strom 2004-05-09 05:03:46 ----

A uppdate is avalible for a insecure temporary file cration in flim for Redhat
7.3 from here:

http://av8.netikka.fi/~johnny/fedora_legacy/rh73/

http://213.250.83.8/~johnny/fedora_legacy/rh73/flim-1.14.3-5.legacy.noarch.rpm
bf288c91b16e8104859ca3d4d653563a6609c21a (SHA1) 

http://213.250.83.8/~johnny/fedora_legacy/rh73/flim-xemacs-1.14.3-5.legacy.noarch.rpm
cb41407f8136d5a9dec1e9e116707eacd21ce966 (SHA1)

http://213.250.83.8/~johnny/fedora_legacy/rh73/flim-1.14.3-5.legacy.src.rpm
800352ff2064bab6f7175e863a1ef2eb2426ad09 (SHA1) 

http://213.250.83.8/~johnny/fedora_legacy/rh73/flim-CAN-2004-0422.patch
4c5892f5746e2a466ab74276db6097543bc3d141 (SHA1) 



------- Additional Comments From jkeating 2004-05-18 19:05:39 ----

Removed rh72 keyword, only hits 7.3+.  Will build 8.0/9 packages for QA



------- Additional Comments From bugs.michael 2004-05-19 02:50:51 ----

rh9 package can be found in comment 1



------- Additional Comments From marcdeslauriers 2004-05-23 04:52:20 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for 8.0:

d263d626a9dd2947c14739a2fbd5d25efb684bad  flim-1.14.3-8.legacy.noarch.rpm
530020f9fd6486cdba98997d65ead394ff79ad55  flim-1.14.3-8.legacy.src.rpm
7da1c022a2d6677aaac15e8ae55f8eefd04eb080  flim-xemacs-1.14.3-8.legacy.noarch.rpm

http://www.infostrategique.com/linuxrpms/legacy/flim-1.14.3-8.legacy.noarch.rpm
http://www.infostrategique.com/linuxrpms/legacy/flim-1.14.3-8.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/flim-xemacs-1.14.3-8.legacy.noarch.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAsLpyLMAs/0C4zNoRAhEjAJ9tw5yO5qiDDk20Jud8PYAw3pZp3QCgiXbH
8Mu8pPiQEiCjBClaxdgdY8s=
=DpY4
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-06-05 06:03:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested rh9 package:

820ddc800dc42a5509fdc5397a43670e2e0a0eee  flim-1.14.4-3.legacy.src.rpm

- - sha1sums match
- - spec file looks good
- - patch looks good
- - builds OK
- - installs OK

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAwe6gLMAs/0C4zNoRAitsAJ9Ts89Qg0XAFX354DaDjlYtSRssGwCeMI91
FY3ZkfbLEdYDgZUbx5WL4Ao=
=/Ypg
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-06-05 06:12:27 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested rh7.3 package:

800352ff2064bab6f7175e863a1ef2eb2426ad09  flim-1.14.3-5.legacy.src.rpm

- - sha1sums match
- - spec file looks good
- - patch looks good
- - builds OK
- - installs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAwfCnLMAs/0C4zNoRApNxAKDBZr6ADQTwFLAxxiRQwb609ZOAUgCgvACF
iSVNvir/T56HrvhFmjsTuwU=
=NRsP
-----END PGP SIGNATURE-----



------- Additional Comments From jkeating 2004-06-15 12:04:07 ----

RHL9 package isn't building in mach very well, failing with this:

+ make EMACS=xemacs
PACKAGEDIR=/var/tmp/flim-1.14.4-root/usr/share/xemacs/xemacs-packages
install-package
xemacs -batch -q -no-site-file -l FLIM-MK -f compile-flim-package
/var/tmp/flim-1.14.4-root/usr/share/xemacs/xemacs-packages
xemacs: error while loading shared libraries: libXm.so.3: cannot open shared
object file: No such file or directory
make: *** [package] Error 127

Even when openmotif is added ( which owns the /usr/X11R6/lib/libXm.so.3 ) the
build fails at the same point.  Something odd is going on.



------- Additional Comments From bugs.michael 2004-06-15 12:42:33 ----

Openmotif package runs ldconfig in %post scriptlet, so it's not the culprit. bug
1690 was similar, maybe RPM related.

In mach chroot:

# ldd $(which xemacs)
        libXm.so.3 => not found
# ldconfig -p | grep Xm 
        libXmuu.so.1 (libc6) => /usr/X11R6/lib/libXmuu.so.1
        libXmu.so.6 (libc6) => /usr/X11R6/lib/libXmu.so.6
# ldconfig
# ldconfig -p | grep Xm
        libXmuu.so.1 (libc6) => /usr/X11R6/lib/libXmuu.so.1
        libXmu.so.6 (libc6) => /usr/X11R6/lib/libXmu.so.6
        libXm.so.3 (libc6) => /usr/X11R6/lib/libXm.so.3

So, enter chroot, run ldconfig, then 'mach -k rebuild' the package. 




------- Additional Comments From jkeating 2004-06-16 18:37:01 ----

Actually it's because I had opemotif as a listed buildreq for flim, and not for
the subpackage of xemacs which has its own listing of buildreqs.  Moved it down
below and all seems to be working now.  *shrug*



------- Additional Comments From jkeating 2004-06-16 19:41:42 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
f7236bf2d2a3ed5b024e391918ff286b8f0b10db 
7.3/updates-testing/SRPMS/flim-1.14.4-4.7x.legacy.src.rpm
c3683fae4e02fa01490a0e7376b0cc680921c3cc 
7.3/updates-testing/i386/flim-1.14.4-4.7x.legacy.noarch.rpm
b895a2ea9a6c7c52f22cabd273306dfea9d318e4 
7.3/updates-testing/i386/flim-xemacs-1.14.4-4.7x.legacy.noarch.rpm

20ab29707a40a754bb7259b8940be283eb82f7d0 
9/updates-testing/SRPMS/flim-1.14.4-4.9.legacy.src.rpm
136a864b72fe9600caeec27b0804a55013c27dbc 
9/updates-testing/i386/flim-1.14.4-4.9.legacy.noarch.rpm
5ce5f434dd078bfb863f595379897ad1e9b37a59 
9/updates-testing/i386/flim-xemacs-1.14.4-4.9.legacy.noarch.rpm



------- Additional Comments From bugs.michael 2004-06-17 00:35:06 ----

In reply to comment 11: *All* buildrequires for a src.rpm are installed, no
matter whether listed in a sub-package or in the main package. Changed package
installation order can result in a different package running ldconfig after
openmotif was installed. Why openmotif's own ldconfig scriplets don't suffice,
remains to be investigated (if somebody has fun to do it).



------- Additional Comments From dom 2004-06-21 06:47:22 ----

1.14i-4.7.3.1.legacy installs and runs fine on rh7.3 - not tested file extraction.



------- Additional Comments From marcdeslauriers 2004-08-30 14:00:10 ----

*** Bug 2004 has been marked as a duplicate of this bug. ***



------- Additional Comments From dom 2004-09-08 13:21:52 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

136a864b72fe9600caeec27b0804a55013c27dbc  i386/flim-1.14.4-4.9.legacy.noarch.rpm
5ce5f434dd078bfb863f595379897ad1e9b37a59 
i386/flim-xemacs-1.14.4-4.9.legacy.noarch.rpm
20ab29707a40a754bb7259b8940be283eb82f7d0  SRPMS/flim-1.14.4-4.9.legacy.src.rpm

for RH9:
- - installs
- - builds from source

++VERIFY

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBP5PAYzuFKFF44qURAkp5AKC6riY6dMdBRtqZ7MdP9eYLlf8iwwCgtLv2
39xUGHgD7nHdasUoI02Dmys=
=BXH2
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-09-09 06:13:52 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
c3683fae4e02fa01490a0e7376b0cc680921c3cc  flim-1.14.4-4.7x.legacy.noarch.rpm
f7236bf2d2a3ed5b024e391918ff286b8f0b10db  flim-1.14.4-4.7x.legacy.src.rpm
b895a2ea9a6c7c52f22cabd273306dfea9d318e4  flim-xemacs-1.14.4-4.7x.legacy.noarch.rpm
 
SRPM builds just fine.  Packages install just fine.
 
VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBQIExyQ+yTHz+jJkRAkiaAJ9csNaX/Q7ERMDNH5ySSKuzWTcQkwCdFFjk
LpXm7QsSvbqSy1/pHBr1a8Q=
=uUEh
-----END PGP SIGNATURE-----




------- Additional Comments From mule 2004-09-10 05:38:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
136a864b72fe9600caeec27b0804a55013c27dbc  flim-1.14.4-4.9.legacy.noarch.rpm
20ab29707a40a754bb7259b8940be283eb82f7d0  flim-1.14.4-4.9.legacy.src.rpm
5ce5f434dd078bfb863f595379897ad1e9b37a59  flim-xemacs-1.14.4-4.9.legacy.noarch.rpm
 
For Red Hat 9:
* spec file looks ok
* dependencies look ok
* builds from source
* installs
 
VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBQcPbTsaUa9pp4VIRAptlAKDuSf64UVxCm8VAYguqBDW3DarQ5ACfTpv9
jPv3CuYnsNStdDO6EKDow/Y=
=Ktl/
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-09-29 12:51:47 ----

Will release tonight.
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1581-flim-draft.txt



------- Bug moved to this database by dkl 2005-03-30 18:24 -------

This bug previously known as bug 1581 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1581
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
patch from Debian woody update
https://bugzilla.fedora.us/attachment.cgi?action=view&id=655

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was jonny.strom.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.