Bug 152758 - CAN-2004-0494 GNOME VFS extfs vulnerability
CAN-2004-0494 GNOME VFS extfs vulnerability
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: gnome-vfs (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
LEGACY, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-04 13:16 EDT by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 19:17:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:26:26 EST
Flaws have been found in several of the GNOME VFS extfs backend scripts.
Red Hat Enterprise Linux ships with vulnerable scripts, but they are not
used by default. An attacker who is able to influence a user to open a
specially-crafted URI using gnome-vfs could perform actions as that user.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0494 to this issue.

Info:
https://rhn.redhat.com/errata/RHSA-2004-373.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0494



------- Additional Comments From michal@harddata.com 2004-08-08 16:40:41 ----

Created an attachment (id=804)
modifications to gnome-vfs spec file.

Because the problem is in really unused extfs support then the fix
is remove that from this package.  RHEL is fixing this in the same
way (although a version of gnome-vfs is different).



------- Additional Comments From jp107@damtp.cam.ac.uk 2004-08-13 06:36:57 ----

Created an attachment (id=816)
patch for gnome-vfs2.spec

Here is a patch which does essentially the same as above (which is fine for
gnome-vfs), for the gnome-vfs2 specfile as on RH9 (and with minor change RH8
too).  This is based on the change in RHEL 3AS...

See srpms built for RH9 from this and the previous patches in
http://www.damtp.cam.ac.uk/user/jp107/legacy/9/

2aaf7c71384766ecbda3365140df963da36c0bb1 
RPMS/i386/gnome-vfs-1.0.5-14.9.legacy.i386.rpm
d9c6c04a6e3da626c8f63650821cf67f15a0f6b0 
RPMS/i386/gnome-vfs-debuginfo-1.0.5-14.9.legacy.i386.rpm
3a2247385d67e3cafaeecae830a50e9c8be7b98e 
RPMS/i386/gnome-vfs-devel-1.0.5-14.9.legacy.i386.rpm
ebd730fc827c8c12252dac1e140974b9af31f387 
RPMS/i386/gnome-vfs2-2.2.2-5.9.legacy.i386.rpm
a27ac2580d829cdd963deab0f9f39463330a15c3 
RPMS/i386/gnome-vfs2-debuginfo-2.2.2-5.9.legacy.i386.rpm
a710d15fd19278c471574191d685fe190d17bc32 
RPMS/i386/gnome-vfs2-devel-2.2.2-5.9.legacy.i386.rpm
9bc37eadc8e62e500250e89b2151ae34802fa5f3 
SRPMS/gnome-vfs-1.0.5-14.9.legacy.src.rpm
8b9527eb9a0254061d082055e6d3ccd3dff8e079 
SRPMS/gnome-vfs2-2.2.2-5.9.legacy.src.rpm

Only lightly tested so far though...

I also have RH8 updates if anyone is interested (I guess not).




------- Additional Comments From dwb7@ccmr.cornell.edu 2004-08-30 09:24:13 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Build packages for RH7.3 using included patch in the bug report:

sha1sum -b *
92a084f8971681766f28077d08dbe447513c38b5 *gnome-vfs-1.0.5-4.7x.legacy.i386.rpm
bb87f027542b077b8e3196746847edcffaa81946 *gnome-vfs-1.0.5-4.7x.legacy.src.rpm
8f2b1b367c2827f522ecd56b34e436333f694bc8
*gnome-vfs-devel-1.0.5-4.7x.legacy.i386

download from:
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/gnome-vfs

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBM349SY7s7uPf/IURAsBZAJ93g9ElgvXovOomDLGyWcoRs7jJUACgygXf
ZbWNBvEy6IVaQrMeY7LLI4I=
=5kk8
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-09-24 10:31:00 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bb87f027542b077b8e3196746847edcffaa81946  gnome-vfs-1.0.5-4.7x.legacy.src.rpm

- - sources identical
- - builds cleanly
- - spec file identical apart from removal of extfs libraries
- - installs cleanly
- - extfs libraries are removed

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBVIO6YzuFKFF44qURAv8MAKD2yeWda0s12R2a4ENrqi0TbGsPRgCg/iej
I6PgbKsXm2BVP7R5lxtyBco=
=qvfP
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-21 16:12:36 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the rh9 package:

8b9527eb9a0254061d082055e6d3ccd3dff8e079  gnome-vfs2-2.2.2-5.9.legacy.src.rpm

- - spec file changes are good
- - Source files match previous release
- - Builds and installs.

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBeGyHLMAs/0C4zNoRAgxZAJwIA+pu9O/BtT9WzUOiYAYuOe2C4wCeJ48b
LE/WhTYE8crcl+HV48+H2xU=
=hzwh
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-11-30 17:08:43 ----

Packages were pushed to updates-testing



------- Additional Comments From dom@earth.li 2004-12-10 02:19:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1b2e233aa6ae55ae23a6789fb13c5b6448a2a949  gnome-vfs-1.0.5-4.1.legacy.i386.rpm
7a651d8d5ddfc1838664551c97f0326a385f80d1  gnome-vfs-devel-1.0.5-4.1.legacy.i386.rpm

- - installs ok
- - nautilus runs

VERIFY rh73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBuZRFYzuFKFF44qURAsBsAKCpJzuD/RxpE1LylOFUGkAbGz7hXgCg8sRt
m3It1KIM3IoFYfVNAcpPK+o=
=xqF6
-----END PGP SIGNATURE-----



------- Additional Comments From S.J.Thompson@cs.bham.ac.uk 2005-02-14 00:46:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Testing on RedHat 9

RPM
0c4d06767ec7ffefbcdb77b66f8845502204d5da  gnome-vfs-1.0.5-13.1.legacy.i386.rpm
8f5c82ba289b2e7b51079af4867ddddaf66006d4  gnome-vfs2-2.2.2-4.1.legacy.i386.rpm
65650947bcc05f583b0833ad429e8204e7533fa2  gnome-vfs2-devel-2.2.2-4.1.legacy.i386.rpm
e702fbcd55b20e6208fe460eb83035173e25a1c4  gnome-vfs-devel-1.0.5-13.1.legacy.i386.rpm

% rpm --checksig -v gnome-vfs*
gnome-vfs-1.0.5-13.1.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (42ec4e2d0e7197634f16d20faa5a60ffce2d0ffd)
    MD5 digest: OK (c3e7188b000139f899f4a899ac682ff8)
    V3 DSA signature: OK, key ID 731002fa
gnome-vfs2-2.2.2-4.1.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (3be4be05558cdf0b8654c7ff57840f4c225f0679)
    MD5 digest: OK (127b164a9afde16fa3f4036278d6aad4)
    V3 DSA signature: OK, key ID 731002fa
gnome-vfs2-devel-2.2.2-4.1.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (975d68beafe12aa533bb55990dbba8ae829e1aad)
    MD5 digest: OK (b7446499efb337c48bbdaa9795c17434)
    V3 DSA signature: OK, key ID 731002fa
gnome-vfs-devel-1.0.5-13.1.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (90083bfd048ff90aeadd289f41034c75a44280dd)
    MD5 digest: OK (f7f8e058336e3e009bc867d2581c3394)
    V3 DSA signature: OK, key ID 731002fa

* sha1sums match
* GPG signatures check out ok
* packages install ok
* nautilus runs ok

+VERIFY (rh9)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCEIGC6PpxfDLZ0SgRApfLAJ0adbwK1FkaMHv4xFLAuILBRTc6NQCgjQJZ
5IyYSWsmIfwj0jlJiI1+gb4=
=3WsD
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-20 12:29:17 ----

Pushed to official updates.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:26 -------

This bug previously known as bug 1944 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1944
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
modifications to gnome-vfs spec file.
https://bugzilla.fedora.us/attachment.cgi?action=view&id=804
patch for gnome-vfs2.spec
https://bugzilla.fedora.us/attachment.cgi?action=view&id=816

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.