Bug 152729 - Format String Vulnerability in Tripwire
Summary: Format String Vulnerability in Tripwire
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: Package request
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://www.securityfocus.com/archive/...
Whiteboard: LEGACY, rh73, rh90
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-06-04 10:40 UTC by Howard Owen
Modified: 2008-05-01 15:38 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:25:27 UTC
Confirmed and patch blessed in
http://www.securityfocus.com/archive/1/365100/2004-06-01/2004-06-07/0

This applies at least to Red Hat Linux 9.



------- Additional Comments From marcdeslauriers 2004-06-04 13:57:43 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for 7.3 and 9:

Changelog:
* Fri Jun 04 2004 Marc Deslauriers <marcdeslauriers> 2.3.1-19.legacy
- - Added patch for format string vulnerability (FL #1719)

7.3:
c46da2908063ec8bd88ab4cb52b7d3bf91b514d0  tripwire-2.3.1-18.legacy.i386.rpm
47958d4e6ee33b738145ffdd12649e72eecb2e5c  tripwire-2.3.1-18.legacy.src.rpm

9:
aff57cf7b697be76e28564f7d4de947b3c91c790  tripwire-2.3.1-19.legacy.i386.rpm
3b1025a1fb78d59621298f1cad0a7c377b29e6c4  tripwire-2.3.1-19.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/tripwire-2.3.1-18.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/tripwire-2.3.1-18.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/tripwire-2.3.1-19.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/tripwire-2.3.1-19.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAwQwoLMAs/0C4zNoRAhlLAJ0VX4oSDwvlMe5+fZoVOn8fQOSAXACfQfKu
0eUHb+/OVnEhe88C3/uSLHc=
=Y2Q5
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom 2004-06-05 22:54:02 ----

I did a QA on the RH9 packages.

SHA1 is ok.
Installs ok.
I did a wery basic fuctionallity testing and it seems to be ok.
The patch and the spec file looks ok.

I wote for publish.





------- Additional Comments From hbo 2004-06-07 14:58:15 ----

Change URL to Security Focus approved form. The followup should be accessed at
http://www.securityfocus.com/archive/1/365100, too.



------- Additional Comments From bugs.michael 2004-06-15 08:46:37 ----

fedora.us will bump tripwire version from tripwire-2.3.1-18.fdr.3 to
tripwire-2.3.1-20.fdr.1 for FC1/FC2, so these two legacy updates won't be newer




------- Additional Comments From marcdeslauriers 2004-06-15 14:31:01 ----

Oups! Sorry for breaking that...I never thought to look for tripwire in the
fedora.us packages...



------- Additional Comments From jkeating 2004-06-16 17:53:24 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/
 
b266219a8b7d05e35e2dba5c7a33bb15d518f7ad 
7.3/updates-testing/SRPMS/tripwire-2.3.1-20.legacy.7x.src.rpm
e7649912f208a73276c16cffcb4dfb19e23bad9c 
7.3/updates-testing/i386/tripwire-2.3.1-20.legacy.7x.i386.rpm
 
c65f628b723c3280d2cce0484ba5e8163081e1e8 
9/updates-testing/SRPMS/tripwire-2.3.1-20.legacy.9.src.rpm
321d6537458ef99779be8f5377ea94695c6e1b5f 
9/updates-testing/i386/tripwire-2.3.1-20.legacy.9.i386.rpm



------- Additional Comments From bugs.michael 2004-06-17 05:25:49 ----

Thanks for ignoring/overlooking comment 4. :-/

Please keep release version lower than FC1/FC2.

Prior to the vulnerability

rh73 contained: tripwire-2.3.1-10.i386.rpm 
rh9 contained: tripwire-2.3.1-17.i386.rpm
fc1 contained: tripwire-2.3.1-18.fdr.3.1.i386.rpm

So there is no need to bump the version to 20.legacy.X



------- Additional Comments From tripwire-devel.co.uk 2004-06-17 18:18:59 ----

For those not CC:'d to bug 1308, please read this:

https://bugzilla.fedora.us/show_bug.cgi?id=1308#c45

It would be great if we could sync our methods, and start using policy diffs for
each release. The diffs are primarily aimed at *new* critical files unique to
each release, but could also be stripped redundant entries.

Actually I'd prefer both:

twpol-<distro>.txt
twpol-<distro>-added.diff
twpol-<distro>-removed.diff

That way it is always crystal clear what part of the filesystem has changed, and
how.

To establish a baseline, I'll be using the policy from tripwire-2.3.1-17.src.rpm
and running it against a policy validator for FC1 and FC2 systems.

I'm starting work on some more scripts, including a policy diffs creator, so
I'll let you know when that's done.

Meanwhile I'd appreciate some feedback on this idea, and input on new critical
files on RH Legacy systems (compared to the original policy).

I've made a basic policy validator, along with some other Tripwire scripts,
available here:

http://www.genesis-x.nildram.co.uk/filez/tripwire-scripts-2.3.1-18.fdr.8.sea.bin.tar.bz2

Thanks.

K.



------- Additional Comments From marcdeslauriers 2004-09-08 11:12:57 ----

In response to comment 8:

Unfortunately, i don't think Fedora Legacy has any volunteers to make policy
diffs right now. If someone steps up to do this, great. But in the meantime,
Fedora Legacy packages will only have security patches.





------- Additional Comments From marcdeslauriers 2004-09-08 11:14:45 ----

These packages need to be pushed back to updates-testing with decreased release
tags so as not to conflict with the FC packages from fedora.us. The version
numbers that should be used are:

7.3:
tripwire-2.3.1-18.legacy.i386.rpm
tripwire-2.3.1-18.legacy.src.rpm

9:
tripwire-2.3.1-19.legacy.i386.rpm
tripwire-2.3.1-19.legacy.src.rpm




------- Additional Comments From mule 2004-09-09 07:49:59 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
321d6537458ef99779be8f5377ea94695c6e1b5f  tripwire-2.3.1-20.legacy.9.i386.rpm
c65f628b723c3280d2cce0484ba5e8163081e1e8  tripwire-2.3.1-20.legacy.9.src.rpm
 
For Red Hat 9:
* builds from source
* installs
 
I've have been using this package on a production server since August 25, 2004
with no problems...
 
I would agree with all of comment #10...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBQJe9TsaUa9pp4VIRAoLpAJ9Vr89jFyZ+7NW0sH0q+lXxng9DTwCg+fwI
k5UKeSVMWTLQG8ogDLaN5/w=
=LqMR
-----END PGP SIGNATURE-----




------- Additional Comments From mule 2004-09-14 04:11:13 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I would like to give folks a gentle nudge to resolve any versioning issues with
the current tripwire packages in updates-tesing.
                                                                                
Please use comment #7 as a reference.
                                                                                
Would it be possible to redo the versions in updates-testing from
                                                                                
  tripwire-2.3.1-20.legacy.7x
  tripwire-2.3.1-20.legacy.9
                                                                                
to
                                                                                
  tripwire-2.3.1-10.1.legacy.7x
  tripwire-2.3.1-17.1.legacy.9
                                                                                
or such to keep the version lower than tripwire-2.3.1-18.fdr.3.1 in FC1?
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBRvvpTsaUa9pp4VIRAj27AKDn0TnnsCpTV60EHIuiSrY0k5Kq2ACgxisJ
apK4Jwryfc/6MR22Ux77DYk=
=yqhX
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-09-14 04:35:39 ----

Fedora Core 1, fedora.us testing repository:

tripwire-2.3.1-18.fdr.3.1.i386.rpm              30-Nov-2003
tripwire-2.3.1-20.fdr.1.1.i386.rpm              15-Jun-2004

20.legacy would be higher than 20.fdr




------- Additional Comments From marcdeslauriers 2004-10-03 12:37:06 ----

Built new packages and pushed to updates-testing.




------- Additional Comments From bugs.michael 2004-10-03 13:04:18 ----

Please don't ignore the comments in this ticket. Your
tripwire-2.3.1-20.legacy.9.i386.rpm breaks the upgrade path to Fedora Core 1 and 2.



------- Additional Comments From bugs.michael 2004-10-03 13:09:49 ----

Um, Marc, there are no new packages in updates-testing yet.



------- Additional Comments From marcdeslauriers 2004-10-03 14:35:02 ----

Michael,
I didn't ignore the comments, they are the reason I built new packages.
Here are the version numbers I used:
  tripwire-2.3.1-10.1.legacy.7x
  tripwire-2.3.1-17.1.legacy.9

They will appear in updates-testing in tonights sync, and I will release the
notification tomorrow morning.



------- Additional Comments From mule 2004-10-08 05:24:20 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
In doing the QA for the Red Hat 9 packages I came across an issue with the
tripwire.spec file.  The file contains the duplicate line:
 
Patch4: tripwire-mkstemp.patch
  
Also, please post the sha1sums for the new packages
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBZrBATsaUa9pp4VIRAivrAJsF8T4O3t+alPg3OSiAlbWNtaENywCgx+F6
V1941yyUBU1ODKN+ZkTO8KA=
=kQfw
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-09 10:06:29 ----

In response to comment 18:

New packages were pushed to updates-testing to fix the duplicate patch entry.

Here are the sha1sums:

1b2a8875e86492065f53db69d04de4a452fb1c5f 
7.3/updates-testing/i386/tripwire-2.3.1-10.1.legacy.7x.i386.rpm
3d1d0f2a2b4b27c1e5d3b05dbea78d95c70ddcc2 
7.3/updates-testing/SRPMS/tripwire-2.3.1-10.1.legacy.7x.src.rpm
cdc032af7c3fa3cfbe153c85a0044bdbbb6326b5 
9/updates-testing/i386/tripwire-2.3.1-17.2.legacy.9.i386.rpm
263704b1799204e8ee98b4329cddf7b492d8fff2 
9/updates-testing/SRPMS/tripwire-2.3.1-17.2.legacy.9.src.rpm



------- Additional Comments From mule 2004-10-09 16:07:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
cdc032af7c3fa3cfbe153c85a0044bdbbb6326b5  tripwire-2.3.1-17.2.legacy.9.i386.rpm
263704b1799204e8ee98b4329cddf7b492d8fff2  tripwire-2.3.1-17.2.legacy.9.src.rpm
  
For Red Hat 9:
  
* Checked spec file - OK
* Checked tripwire-2.3.1-2-formatstring.patch - OK
* Builds from source - OK
* Installs - OK
* Ran tripwire check and update - OK
  
VERIFY++
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBaJZFTsaUa9pp4VIRAuuWAJ0dUpsH+Q9I5YE8LBc7MKwZpjKkJwCfbn9j
/BCtDnjzqCoD65xrUY1BrCc=
=bE+B
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-10-20 05:48:05 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
1b2a8875e86492065f53db69d04de4a452fb1c5f 
tripwire-2.3.1-10.1.legacy.7x.i386.rpm3d1d0f2a2b4b27c1e5d3b05dbea78d95c70ddcc2 
tripwire-2.3.1-10.1.legacy.7x.src.rpm
 
 - libraries match with tripwire-2.3.1-10 (rh)
 - package installs/upgrades fine
 - source-built package looks good
 - tripwire initializes and runs fine after upgrade
 
++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBdoigyQ+yTHz+jJkRAscgAKCn2xXgMGepDlWhn/r7BtxTqUBScQCfbn7t
tbC6S8lY6q9YgXKf/9+7Gm4=
=8Tuz
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-24 03:42:54 ----

Packages were pushed to official updates.



------- Additional Comments From jimpop 2005-01-05 09:49:57 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+VERIFIED 73

Tested and verified on RH73.  Full functionality (--init, --interactive,
--update, etc) tested extensively over 3 month period on a server experiencing
daily (hourly?) changes to monitored config files, etc.

1b2a8875e86492065f53db69d04de4a452fb1c5f  tripwire-2.3.1-10.1.legacy.7x.i386.rpm

- -Jim P.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB3EL6uhh7yV/E9I4RAtGOAJ9OtFi4H+/qz/RqxYBOTyf93WsLhwCfUAAl
dAclQwo4T5PN/4ujdPtjiL0=
=VEY8
-----END PGP SIGNATURE-----



------- Bug moved to this database by dkl 2005-03-30 18:25 -------

This bug previously known as bug 1719 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1719
Originally filed under the Fedora Legacy product and Package request component.
Bug depends on bug(s) 1308.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.




Note You need to log in before you can comment on or make changes to this bug.