Tatsuya Kinoshita discovered a vulnerability in flim, an emacs library for working with internet messages, where temporary files were created without taking appropriate precautions. This vulnerability could potentially be exploited by a local user to overwrite files with the privileges of the user running emacs. ------- Additional Comments From bugs.michael 2004-05-08 04:32:26 ---- rh72: ? -> don't see "flim" in there rh73 + rh80: flim 1.14.3 -> Debian's patch is for 1.14.3 rh9: patch applies cleanly, affected file hasn't changed between 1.14.3 and 1.14.4 -> http://riva.homelinux.org/~ms/rpms/flim-1.14.4-3.legacy.src.rpm -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Red Hat Linux 9: SHA1 820ddc800dc42a5509fdc5397a43670e2e0a0eee flim-1.14.4-3.legacy.src.rpm 9556a81f4ebdd22a33ecf5e30afae7125ad807a7 mel-u.el.diff b8d467949c89f589eda5792577b59d28a3f66a80 flim-1.14.4-3.legacy.noarch.rpm 27819396bb7f12ad3c07e50d466aa974f7b3a858 flim-xemacs-1.14.4-3.legacy.noarch.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAnO3A0iMVcrivHFQRAq9VAJ9VdRMjNZhygGZ5xs1MKe1UFn2qBwCgiEDB faoMcVBVdWJB+HRCM2bczfk= =8AON -----END PGP SIGNATURE----- ------- Additional Comments From bugs.michael 2004-05-08 04:34:17 ---- Created an attachment (id=655) patch from Debian woody update ------- Additional Comments From jonny.strom 2004-05-09 05:03:46 ---- A uppdate is avalible for a insecure temporary file cration in flim for Redhat 7.3 from here: http://av8.netikka.fi/~johnny/fedora_legacy/rh73/ http://213.250.83.8/~johnny/fedora_legacy/rh73/flim-1.14.3-5.legacy.noarch.rpm bf288c91b16e8104859ca3d4d653563a6609c21a (SHA1) http://213.250.83.8/~johnny/fedora_legacy/rh73/flim-xemacs-1.14.3-5.legacy.noarch.rpm cb41407f8136d5a9dec1e9e116707eacd21ce966 (SHA1) http://213.250.83.8/~johnny/fedora_legacy/rh73/flim-1.14.3-5.legacy.src.rpm 800352ff2064bab6f7175e863a1ef2eb2426ad09 (SHA1) http://213.250.83.8/~johnny/fedora_legacy/rh73/flim-CAN-2004-0422.patch 4c5892f5746e2a466ab74276db6097543bc3d141 (SHA1) ------- Additional Comments From jkeating 2004-05-18 19:05:39 ---- Removed rh72 keyword, only hits 7.3+. Will build 8.0/9 packages for QA ------- Additional Comments From bugs.michael 2004-05-19 02:50:51 ---- rh9 package can be found in comment 1 ------- Additional Comments From marcdeslauriers 2004-05-23 04:52:20 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are packages for 8.0: d263d626a9dd2947c14739a2fbd5d25efb684bad flim-1.14.3-8.legacy.noarch.rpm 530020f9fd6486cdba98997d65ead394ff79ad55 flim-1.14.3-8.legacy.src.rpm 7da1c022a2d6677aaac15e8ae55f8eefd04eb080 flim-xemacs-1.14.3-8.legacy.noarch.rpm http://www.infostrategique.com/linuxrpms/legacy/flim-1.14.3-8.legacy.noarch.rpm http://www.infostrategique.com/linuxrpms/legacy/flim-1.14.3-8.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/flim-xemacs-1.14.3-8.legacy.noarch.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAsLpyLMAs/0C4zNoRAhEjAJ9tw5yO5qiDDk20Jud8PYAw3pZp3QCgiXbH 8Mu8pPiQEiCjBClaxdgdY8s= =DpY4 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-06-05 06:03:04 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tested rh9 package: 820ddc800dc42a5509fdc5397a43670e2e0a0eee flim-1.14.4-3.legacy.src.rpm - - sha1sums match - - spec file looks good - - patch looks good - - builds OK - - installs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwe6gLMAs/0C4zNoRAitsAJ9Ts89Qg0XAFX354DaDjlYtSRssGwCeMI91 FY3ZkfbLEdYDgZUbx5WL4Ao= =/Ypg -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-06-05 06:12:27 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tested rh7.3 package: 800352ff2064bab6f7175e863a1ef2eb2426ad09 flim-1.14.3-5.legacy.src.rpm - - sha1sums match - - spec file looks good - - patch looks good - - builds OK - - installs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAwfCnLMAs/0C4zNoRApNxAKDBZr6ADQTwFLAxxiRQwb609ZOAUgCgvACF iSVNvir/T56HrvhFmjsTuwU= =NRsP -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-06-15 12:04:07 ---- RHL9 package isn't building in mach very well, failing with this: + make EMACS=xemacs PACKAGEDIR=/var/tmp/flim-1.14.4-root/usr/share/xemacs/xemacs-packages install-package xemacs -batch -q -no-site-file -l FLIM-MK -f compile-flim-package /var/tmp/flim-1.14.4-root/usr/share/xemacs/xemacs-packages xemacs: error while loading shared libraries: libXm.so.3: cannot open shared object file: No such file or directory make: *** [package] Error 127 Even when openmotif is added ( which owns the /usr/X11R6/lib/libXm.so.3 ) the build fails at the same point. Something odd is going on. ------- Additional Comments From bugs.michael 2004-06-15 12:42:33 ---- Openmotif package runs ldconfig in %post scriptlet, so it's not the culprit. bug 1690 was similar, maybe RPM related. In mach chroot: # ldd $(which xemacs) libXm.so.3 => not found # ldconfig -p | grep Xm libXmuu.so.1 (libc6) => /usr/X11R6/lib/libXmuu.so.1 libXmu.so.6 (libc6) => /usr/X11R6/lib/libXmu.so.6 # ldconfig # ldconfig -p | grep Xm libXmuu.so.1 (libc6) => /usr/X11R6/lib/libXmuu.so.1 libXmu.so.6 (libc6) => /usr/X11R6/lib/libXmu.so.6 libXm.so.3 (libc6) => /usr/X11R6/lib/libXm.so.3 So, enter chroot, run ldconfig, then 'mach -k rebuild' the package. ------- Additional Comments From jkeating 2004-06-16 18:37:01 ---- Actually it's because I had opemotif as a listed buildreq for flim, and not for the subpackage of xemacs which has its own listing of buildreqs. Moved it down below and all seems to be working now. *shrug* ------- Additional Comments From jkeating 2004-06-16 19:41:42 ---- Pushed to updates-testing: http://download.fedoralegacy.org/redhat/ f7236bf2d2a3ed5b024e391918ff286b8f0b10db 7.3/updates-testing/SRPMS/flim-1.14.4-4.7x.legacy.src.rpm c3683fae4e02fa01490a0e7376b0cc680921c3cc 7.3/updates-testing/i386/flim-1.14.4-4.7x.legacy.noarch.rpm b895a2ea9a6c7c52f22cabd273306dfea9d318e4 7.3/updates-testing/i386/flim-xemacs-1.14.4-4.7x.legacy.noarch.rpm 20ab29707a40a754bb7259b8940be283eb82f7d0 9/updates-testing/SRPMS/flim-1.14.4-4.9.legacy.src.rpm 136a864b72fe9600caeec27b0804a55013c27dbc 9/updates-testing/i386/flim-1.14.4-4.9.legacy.noarch.rpm 5ce5f434dd078bfb863f595379897ad1e9b37a59 9/updates-testing/i386/flim-xemacs-1.14.4-4.9.legacy.noarch.rpm ------- Additional Comments From bugs.michael 2004-06-17 00:35:06 ---- In reply to comment 11: *All* buildrequires for a src.rpm are installed, no matter whether listed in a sub-package or in the main package. Changed package installation order can result in a different package running ldconfig after openmotif was installed. Why openmotif's own ldconfig scriplets don't suffice, remains to be investigated (if somebody has fun to do it). ------- Additional Comments From dom 2004-06-21 06:47:22 ---- 1.14i-4.7.3.1.legacy installs and runs fine on rh7.3 - not tested file extraction. ------- Additional Comments From marcdeslauriers 2004-08-30 14:00:10 ---- *** Bug 2004 has been marked as a duplicate of this bug. *** ------- Additional Comments From dom 2004-09-08 13:21:52 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 136a864b72fe9600caeec27b0804a55013c27dbc i386/flim-1.14.4-4.9.legacy.noarch.rpm 5ce5f434dd078bfb863f595379897ad1e9b37a59 i386/flim-xemacs-1.14.4-4.9.legacy.noarch.rpm 20ab29707a40a754bb7259b8940be283eb82f7d0 SRPMS/flim-1.14.4-4.9.legacy.src.rpm for RH9: - - installs - - builds from source ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBP5PAYzuFKFF44qURAkp5AKC6riY6dMdBRtqZ7MdP9eYLlf8iwwCgtLv2 39xUGHgD7nHdasUoI02Dmys= =BXH2 -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-09-09 06:13:52 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 c3683fae4e02fa01490a0e7376b0cc680921c3cc flim-1.14.4-4.7x.legacy.noarch.rpm f7236bf2d2a3ed5b024e391918ff286b8f0b10db flim-1.14.4-4.7x.legacy.src.rpm b895a2ea9a6c7c52f22cabd273306dfea9d318e4 flim-xemacs-1.14.4-4.7x.legacy.noarch.rpm SRPM builds just fine. Packages install just fine. VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQIExyQ+yTHz+jJkRAkiaAJ9csNaX/Q7ERMDNH5ySSKuzWTcQkwCdFFjk LpXm7QsSvbqSy1/pHBr1a8Q= =uUEh -----END PGP SIGNATURE----- ------- Additional Comments From mule 2004-09-10 05:38:11 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 136a864b72fe9600caeec27b0804a55013c27dbc flim-1.14.4-4.9.legacy.noarch.rpm 20ab29707a40a754bb7259b8940be283eb82f7d0 flim-1.14.4-4.9.legacy.src.rpm 5ce5f434dd078bfb863f595379897ad1e9b37a59 flim-xemacs-1.14.4-4.9.legacy.noarch.rpm For Red Hat 9: * spec file looks ok * dependencies look ok * builds from source * installs VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBQcPbTsaUa9pp4VIRAptlAKDuSf64UVxCm8VAYguqBDW3DarQ5ACfTpv9 jPv3CuYnsNStdDO6EKDow/Y= =Ktl/ -----END PGP SIGNATURE----- ------- Additional Comments From dom 2004-09-29 12:51:47 ---- Will release tonight. http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1581-flim-draft.txt ------- Bug moved to this database by dkl 2005-03-30 18:24 ------- This bug previously known as bug 1581 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1581 Originally filed under the Fedora Legacy product and Package request component. Attachments: patch from Debian woody update https://bugzilla.fedora.us/attachment.cgi?action=view&id=655 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was jonny.strom. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.