Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 152889

Summary: mc CAN-2004-0226,0231,0232,0494,1004,1005,1009,1090,1091,1092,1093,1174,1175,1176,2005-0763
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: mcAssignee: Dominic Hargreaves <dom>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: barryn, bressers, deisenst, jimpop, jnovy, leonard-rh-bugzilla, marc.deslauriers, m.koshelev, pekkas, sheltren
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.debian.org/security/2005/dsa-639
Whiteboard: 2, 1, LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-10 23:49:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
debian patch for CAN-2005-0763
none
Difference between my .i386.rpm and updates-testing
none
PGP-signed portion of comment 25 none

Description David Lawrence 2005-03-30 23:31:05 UTC 
Multiple vulnerabilities in mc-4.5.55 and before. I'll have to check to see if
this affects mc-4.6.0 as well.

Also see bug 2009 (CAN-2004-0494) and bug 1548 (CAN-2004-0226, CAN-2004-0231 and
CAN-2004-0232).



------- Additional Comments From leonard.nl 2005-01-30 04:53:12 ----

Created an attachment (id=976)
Patches extracted from Debian Security Advisory




------- Additional Comments From leonard.nl 2005-02-05 02:34:17 ----

Created an attachment (id=986)
Fix for CAN-2004-0494 and CANs from this bug

SPEC file and patches to drop in a mc-4.5.55-6.legacy build tree. Fix for
CAN-2004-0494 (bug 2009) and all CANs mentioned in this report.

If a signed SRPM and/or RPM is preferred I can attach those.



------- Additional Comments From leonard.nl 2005-02-05 02:50:45 ----

SuSE today released an update for mc that contains at least patches for
CAN-2004-1004, CAN-2004-1005 and CAN-2004-1176. These also affect RHL 9 and FC 1.




------- Additional Comments From leonard.nl 2005-02-06 01:57:37 ----

Packages fixing CAN-2004-0494 as well as the ten CAN issues from this report can
be found at
http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-7.legacy.src.rpm and
http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-7.legacy.i386.rpm .




------- Additional Comments From leonard.nl 2005-02-06 02:33:13 ----

Above patch misses some hunks for urar. I'll update this soon.

Above rpms will temporarily be removed and replaced with correct versions with
the same version number in a few days.




------- Additional Comments From leonard.nl 2005-02-09 08:21:31 ----

Ok. Added the urar parts to the patch for bug 2009.

Above RPMS (with same version number) are available again. This should wrap up
*all* known mc issues for RHL 7.3.





------- Additional Comments From deisenst 2005-02-10 09:38:22 ----

Created an attachment (id=992)
Worksheet for all Debian patches for these CVEs - .ps.gz

The enclosed worksheet details what needs patching and what 
does not in mc.4.6.0.

Here are salient points regarding the Debian patches that fix all of 
these CVE's with regards to updating C source code in the patched 
sources of mc-4.6.0-17.fc1 (as published by Red Hat on 1-Sep-2004):

(CVS release numbers of source code noted in <>'s below).
  
  * CAN-2004-1004 -- Vulnerable.  Patch needed for mc 4.6.0's 
     - vfs/fish.c <1.60>.  (Upstream patch from vfs/fish.c <1.96>.)

  * CAN-2004-1005 -- Vulnerable.  Patch needed for mc 4.6.0's:
     - src/utilunix.c <1.53>  --  patch from upstream <1.76>
     - vfs/sfs.c      <1.41>  --  patch from upstream <1.59>
     - vfs/cpio.c     <1.29>. --  patch from upstream <1.49>

  * CAN-2004-1176 -- Vulnerable.  Patch needed for 4.6.0's:
     - vfs/extfs.c    <1.66>  --  patch from upstreadm <1.100>

  * Not vulnerable -- CAN-2004-{1009,1090,1091,1092,1174,1175}.



------- Additional Comments From leonard.nl 2005-02-10 13:53:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages fixing CAN-2004-0494 as well as the ten CAN issues from this report can
be found at
http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-7.legacy.src.rpm and
http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-7.legacy.i386.rpm .

5ebd7bf563d56fe8035953a277260cc4ae78199a  mc-4.5.55-7.legacy.i386.rpm
7ba94aba68176a97443ff7474ef7906b932a4e78  mc-4.5.55-7.legacy.src.rpm

* Wed Feb 09 2005 Leonard den Ottolander <leonard * den ottolander nl>
4.5.55-7.legacy
- - Fixed extfs for quoting and some temp file issues (CAN-2004-0494).
- - Removed mc-cvs-uzip as it is no longer needed with above fixes.
- - trpm and zip fixes are unneeded but left in as the patch was made against a
  tree that has them applied.
- - Added fixes for CAN-2004-0226, CAN-2004-1004, CAN-2004-1005, CAN-2004-1009,
CAN-2004-1090,
  CAN-2004-1091, CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175 &
  CAN-2004-1176.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCC/Nsm7FzjwvzBAsRAmwcAJ4/zQ7NZFeNFnGB8mwxI4dvwwGDnwCePZyy
yE1GPctyJNu7v922Hnk141o=
=ga8z
-----END PGP SIGNATURE-----




------- Additional Comments From leonard.nl 2005-02-10 14:02:58 ----

Following lines wrap but shouldn't to validate the checksum. Replace the newline
with a space in these lines and the checksum should be ok.

* Wed Feb 09 2005 Leonard den Ottolander <leonard * den ottolander nl>
4.5.55-7.legacy

- - Added fixes for CAN-2004-0226, CAN-2004-1004, CAN-2004-1005, CAN-2004-1009,
CAN-2004-1090,




------- Additional Comments From deisenst 2005-02-11 19:29:15 ----

Created an attachment (id=994)
RH9 & FC1: Proposed patch for CAN-2004-{1004,1005,1176} vuls in mc-4.6.0

Proposed patch for (RH9 & FC1) CAN-2004-{1004,1005,1176}, to fix the 
remaining vulnerabilities that have not already been patched in mc-4.6.0,
per Debian's DSA-639.




------- Additional Comments From leonard.nl 2005-02-12 01:48:01 ----

I would keep the patches separate. This makes it more obvious from the SPEC file
which issues have been fixed.




------- Additional Comments From deisenst 2005-02-14 03:53:04 ----

Created an attachment (id=997)
mc-4.6.0-18.2.fc1.0.legacy.spec - spec-file in .src.rpm for FC1

To answer the concern in comment 11 -- well, as one can see from attachment 
994, the list of what hunk patches for what CVE vulnerability is spelled out 
at the top of that patch file.	The spec file (enclosed) also lists in the
changelog what CVE's are being fixed in mc-4.6.0-multi-CVE.patch.

Since I've already built .src.rpm's, my temptation is not to break out the
mc-4.6.0-multi-CVE.patch into separate files at this time, unless I hear
further objections.  The .src.rpm for FC1 (in forthcoming Comment 13)
compiles cleanly and runs well on my system.



------- Additional Comments From deisenst 2005-02-14 03:58:20 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages to QA for RH9 and FC1 that fix the issues in
Fedora Legacy Bug 2009 and Bug 2405.

Changelogs:
rh9:
* Sat Feb 12 2005 David Eisenstein <deisenst> 1:4.6.0-18.2.fc0.9.legacy
- - rebuild SRPM for RH9. (FL bugzilla #2009, 2405).
(rest of changelog is same as FC1, since they use the same sources)

fc1:
* Fri Feb 11 2005 David Eisenstein <deisenst> 1:4.6.0-18.2.fc1.0.legacy
- - Add mc-4.6.0-multi-CVE.patch which completes the fixes for CAN-2004-1004,
  CAN-2004-1005, and CAN-2004-1176.  Source of these patches are from Debian,
  (DSA-639) and ultimately from the mc CVS tree.
- - FL Bugzilla #2405.

* Sun Feb 06 2005 David Eisenstein <deisenst> 1:4.6.0-18.1.fc1.0.legacy
- - Per Leonard den Ottolander, get rid of mc-cvs-uzip.  Required removing a
  hunk from mc-4.6.0-jumbo.patch, now renamed mc-4.6.0-jumbo-b.patch.
- - Use revised quoted-security2 patch, less drastic changes to uzip.in in
  extfs directory for vulnerability CAN-2004-0494.  FL bugzilla #2009.

* Fri Jan 28 2005 David Eisenstein <deisenst> 1:4.6.0-18.0.fc1.0.legacy
- - Update extfs shell quoting fixes in scripts (CAN-2004-0494) to match 
  scripts in upstream's cvs.  This takes care of fixes missed in Fedora
  update FEDORA-2004-272.
- - Fedora Legacy bugzilla # 2009.


  SHA1SUM                                 Package Name
========================================  ================================
rh9:
25bd4892803741666a926343779b27574c5e8cc0  mc-4.6.0-18.2.fc0.9.legacy.src.rpm

fc1:
b9a0d1ff86e781389f113a4b24bcbca3a7365266  mc-4.6.0-18.2.fc1.0.legacy.src.rpm


Download URLs:
- --------------

rh9:
http://www-astro.physics.ox.ac.uk/~dom/legacy/contrib/mc-4.6.0-18.2.fc0.9.legacy.src.rpm

fc1:
http://www-astro.physics.ox.ac.uk/~dom/legacy/contrib/mc-4.6.0-18.2.fc1.0.legacy.src.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCEKmdxou1V/j9XZwRAtryAKCQxrIdrZkGRV6TkB1UQpFs0MslIwCgrrk9
TKUnlJiy7DCbTdPy8il0XNE=
=LQPR
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2005-02-14 06:17:39 ----

Taking a cursory look into the mc-4.5.55-7.legacy.src.rpm of comment 8, I
cannot find patches for CAN-2004-{0226, 0231, nor 0232}.  This .src.rpm 
does not seem to be based on the most recent .src.rpm available here among
our tree of mc bugs -- Bug 1548, Bug 2009 and this one.

On 9/4/2004 in Bug 2009 comment 8, Marc Deslauriers published
mc-4.5.55-9.legacy.src.rpm.  That package should have taken care of all
issues in bug 1548 (CAN-2004-0226, CAN-2004-0231, CAN-2004-0232, basing its
patches on Debian patches with a Fedora-Legacy-specific tab-completion fix,
if I read the bug history right) also including an incomplete fix of the
VFS/extfs code.

I suggest packages for RH 7.3 be started from Marc's mc-4.5.55-9 package,
rather than Red Hat's mc-4.5.55-5 package.  Then add the (completed) vfs/
extfs fixes and then the fixes for CAN-2004-{1004, 1005, 1009, 1090, 1091,
1092 ,1093, 1174, 1175 and 1176}.  Basing it on this package will also more
accurately reflect in the changelog all the work Fedora Legacy people have
done on this package.

Regarding naming -- new RH7.3 packages probably ought to be numbered some-
thing like mc-4.5.55-9.1 or mc-4.5.55-10, to reduce confusion between these
newest packages and those already published in updates-testing and/or men-
tioned in these bug reports.

Fix these minor problems, and an mc-4.5.55-xxx package for RH7.3 ought to be
good to go, fully patched!  :-)



------- Additional Comments From leonard.nl 2005-02-14 11:25:41 ----

RPM from comment #8 is based on 4.5.55-6.legacy. I "temporarily" commented out
patch 50 as there are conflicting hunks in this and the extfs patch. Sorry for
that mistake. I'll fix (= remove) the offending (= doubled) hunks in vfs/extfs
in (from) the CAN-2004-0226 (= also CAN-2004-0231 and 0232 IIRC) and add the
remains to this SRPM.




------- Additional Comments From leonard.nl 2005-02-14 11:35:06 ----

Patch #51 (mc-4.5.55-CAN-2004-0226.patch):
+ patch -p1 -b --suffix .CAN-2004-0226 -s
1 out of 1 hunk FAILED -- saving rejects to file vfs/extfs/deb.in.rej
1 out of 1 hunk FAILED -- saving rejects to file vfs/extfs/uha.in.rej
5 out of 5 hunks FAILED -- saving rejects to file vfs/extfs/ulha.in.rej
1 out of 1 hunk FAILED -- saving rejects to file vfs/extfs/urar.in.rej
error: Bad exit status from /var/tmp/rpm-tmp.41311 (%prep)

Above hunks fail against the extfs patch that I applied first.

Removing above hunks from the 0226 patch fixes the issue. Only vfs/extfs hunk
remaining to be applied is for vfs/extfs/ucpio.in.

I'll rename the patch mc-4.5.55-CAN-2004-0226-minus-extfs.patch and resubmit
(S)RPMs thursday at the latest.




------- Additional Comments From leonard.nl 2005-02-14 11:49:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages fixing CAN-2004-0494 as well as the ten CAN issues from this report can
be found at
http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-8.legacy.src.rpm and
http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-8.legacy.i386.rpm .

e3e4a4208a83bf5157575affa344cf4ee74e91b2  mc-4.5.55-8.legacy.src.rpm
9746affb87c64427986ef345011a8ca68bb4dcd5  mc-4.5.55-8.legacy.i386.rpm

%changelog
* Mon Feb 14 2005 Leonard den Ottolander <leonard * den ottolander nl>
4.5.55-8.legacy
- - Really apply remainder of CAN-2004-0226 patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCERyVm7FzjwvzBAsRAuiuAJwKdts0ku2u/yVt4N+rImQ/aVqN1gCeL0wC
wVSPItlR3JhaFclmD3DGp8w=
=rUJ0
-----END PGP SIGNATURE-----




------- Additional Comments From leonard.nl 2005-02-14 11:54:54 ----

If you like to verify the validity of comment #17 please see
http://www.ottolander.nl/opensource/srpms/rh73/verify-mc-4.5.55-8.txt




------- Additional Comments From jimpop 2005-02-20 20:20:34 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VERIFY+ RH73

9cf3e327cbd9b71980b6c1b0a0ca9889 mc-4.5.55-7.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCGX2Zuhh7yV/E9I4RAk2VAJ9ItJghR9uFSm4HVp8iXSGY385iRQCfbPks
f3aXCty3xakbZX9JouS9qXU=
=vbEU
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-03-01 04:43:27 ----

I did QA for RHL73.  It was basically OK, except confusion about two
patches.
                                                                               
                                   
However, I could not find out where mc-4.5.55-extfs.patch comes from?  This
appears to be functionality enhancements which should be out of scope?
                                                                               
                                   
mc-4.5.55-CAN-2004-0226-minus-extfs.patch is also missing fixes for
vfs/extfs/{deb,uha,ulha,urar}.in which were in the Debian patch (similar
compared to earlier package, mc-security_CAN-2004-0226.patch).
                                                                               
                                   
What's the deal here?
                                                                               
                                   
e3e4a4208a83bf5157575affa344cf4ee74e91b2  mc-4.5.55-8.legacy.src.rpm




------- Additional Comments From pekkas 2005-03-01 05:56:57 ----

I took a look at FC1/RHL9.  Verifying the correctness of these patches seems to
be very complicated.  At least the Debian patches for those CANs are much more
extensive than in #8.

Is there an easier way of doing this, or some clear methodology to use?




------- Additional Comments From dom 2005-03-01 15:00:51 ----

The Debian security team generally does an excellent job of releasing high
quality packages so I would have a reasonably high level of confidence in
patches obtained from them.



------- Additional Comments From pekkas 2005-03-01 20:29:36 ----

Agree with #22.  The issue was really how to verify those patches that clearly
did not come from debian.  For RHL73, about 10 patches were identical to Debian
and those were fine with me.  I was questioning the last 1 (or 2), and asking
where to  get the "reference" for 4.6.0.



------- Additional Comments From leonard.nl 2005-03-04 06:44:14 ----

Regarding the extfs patch: Indeed there are functional changes introduced.
However, it is undoable to separate the functional changes from the security
fixes. Hence the update to mc-4.6.1-PRE3 code. This patch originates from me as
I've been very involved in upstream mc development in the last 3/4 year and I've
been pushing most of these fixes into CVS there.

I've discussed this issue extensively with Jindrich Novy, who agrees with me
that an update to CVS was the only sane path to walk. Indeed, we both agree that
an update to 4.6.1 for all platforms (including RHEL 2.1) is preferable once it
is released.

Regarding the multiple CAN issues reported by Andrew Somailov: The fixes for RHL
7.3 are taken literally from the Debian patches which are produced against
mc-4.5.55. Other functional fixes that are in the Debian patch set have not been
introduced. The main difference is that the Debian patch set is a big blob and I
have separated out the essential patch parts.

For RHL 9 and FC only three of these patches are still valid (CAN-2004-1004,
CAN-2004-1005 and CAN-2004-1176). Please compare SuSE's updates for mc of the
same version. They should apply cleanly.

To summarize: All patches apart from the one for CAN-2004-0494 are taken from
the Debian patch set. You can verify that. The fact that the Debian patch set
does not contain a fix for CAN-2004-0494 is an ommission on the part of the
Debian security team.




------- Additional Comments From leonard.nl 2005-03-04 06:54:19 ----

That of course should have been "Andrew Samoilov" :) .

Please see the thread that started with
http://mail.gnome.org/archives/mc-devel/2005-January/msg00063.html .

And of course http://mail.gnome.org/archives/mc-devel/2005-January/msg00067.html
. I hope this takes away any doubt, and if not, please have a look inside the
Debian patch set to verify the used patches are identical.




------- Additional Comments From pekkas 2005-03-04 08:30:59 ----

So, when is 4.6.1 due then?  I'm not sure if we can just upgrade to it
especially on RHL73, but I don't use mc myself in any case.

At present, I guess the only way to verify the patches would be to extract a
diff against CVS and compare them, and I'd rather avoid this. (All debian
packages except one is OK, but as said, there is significant extra patching.)



------- Additional Comments From leonard.nl 2005-03-04 12:40:44 ----

Pekka, I don't really understand what issues you are having. If you follow my
pointers and look *inside*
http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5.diff.gz
you will see that I extracted only the relevant patches for these CAN issues.

When 4.6.1 is due sadly remains a mystery as the maintainer is somewhat
uncooperative.




------- Additional Comments From deisenst 2005-03-11 20:21:31 ----

Regarding comment #21:

> Verifying the correctness of these patches seems to be very complicated.
> ...
> Is there an easier way of doing this, or some clear methodology to use?

Perhaps I can help by explaining the methodology I used in discerning and
creating the appropriate forward-ported patches for mc-4.6.0 from the back-
ported patches for mc-4.5.55 that was created by the Debian maintainers
from mc's CVS.

Creating the patches for the multiple vulnerabilities CAN-2004-1004,1005,
1009,1090,1091,1092,1093,1174,1175,1176 was not complicated, it was merely
tedious and time-consuming.  It basically boiled down to this:

  1.  Debian DSA-639 defines and patches a number of vulnerabilities that
      were present in Debian's stable version of mc, namely, mc-4.5.55.  
      From Debian's advisory, "Andrew V. Samoilov has noticed that several
      bugfixes which were applied to the source by upstream developers of
      mc, the midnight commander, ... were not backported to the current
      version of mc that Debian ships in their stable release."

  2.  The Red Hat 9 and Fedora Core 1 packages are all based upon mc-4.6.0,
      as patched up through September by Red Hat, and then further patched
      by me in Bug 2009 for CAN-2004-0494 extfs quoting vulnerabilities,
      that is, "mc-4.6.0-18.fc1.0.legacy".   Many of the patches for
      Debian's mc-4.5.55 were already patched in the mc-4.6.0 + the further 
      patches already applied by Red Hat in the .srpm to the mc-4.6.0
      sources.

  3.  So basically, the problem was discerning which of these patches for
      Debian's mc-4.5.55 apply to the most recent mc-4.6.0 that Red Hat
      issued for Fedora Core 1, mc-4.6.0-17.fc1.src.rpm?
      
  4.  My methodology was to examine each individual patch--
      
  4a. The Debian developers provided a nice point-by-point changelog that
      listed all of the security fixes, file-by-file, along with the CVS
      version numbers upstream that fixed those bugs.  You can find it in
      the file "mc-4.5.55/debian/changelog" that is created by Debian's
      metapatch file:
http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5.diff.gz

  4b.  With that listing, and examining each individual file, I created the
       postscript-formattted spreadsheet (.ps.gz) you see in attachment 992,
       a summary of which is in comment #7.  I took each bullet-point of the
       changelog and used that bullet-point to create a one-to-five-line
       section in the spreadsheet.
       
  4c.  By looking at the mc-4.6.0 code (unpacked from mc-4.6.0-18.fc1.0.
       legacy.src.rpm using "$ rpmbuild -bp", which unpacks the original
       tarball and applies the previous patches), and comparing that with
       the individual patches mentioned in the changelog, I was able to
       discern which patches had been applied and which had been discovered
       since mc-4.6.0 + Red Hat patches, therefore not yet applied.
       
  4d.  Something that helped double-check what patches would apply and which
       ones would not was the MC CVS itself.  For example, as you can see in
       the first column of the spreadsheet (labeled "Debian's Description"),
       for the first item it says "Corrected format string problems [src/
       utilunix.c <1.38>, vfs/fish.c <1.96>, CAN-2004-1004]."

          - For the first file, utilunix.c, the CVS version of that file
            that has the security fix for the format string problem is
            <1.38>.  The CVS showed me that mc-4.6.0 is already using
            version <1.53> of src/utilunix.c (see column 4, "Source File
            Affected").  So mc-4.6.0 would likely already have the patch.
            (I looked at the code anyway to be sure.  It does.)

          - For the second file, vfs/fish.c, the CVS version with the
            security fix is <1.96>.  But mc-4.6.0 only has version <1.60>
            of vfs/fish.c; so it's likely that this patch needs to be
            applied.  And it did, so that's how that line is marked (in
            salmon) in columns 5-6 of the spreadsheet.

  5.   It took a great deal of time to review the patches file-by-file
       (Midnight Commander helped a lot with that, though).
       
If you feel the need to double-check all of that work, you may need
to go through this kind of method.  You could also choose to spot-check
a few that I claim don't apply and some or all that I claim do apply.
That is up to you.

Hope this helped.



------- Additional Comments From leonard.nl 2005-03-12 10:37:59 ----

The patches that David found to apply to mc-4.6.0 happen to be the same patches
that the SuSE security team found to apply to mc-4.6.0 (SuSE 9.0). Although I
haven't checked these by hand I am confident David's conclusion as to which
patches are applicable to mc-4.6.0 is correct.




------- Additional Comments From marcdeslauriers 2005-03-12 18:44:52 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the rh9 and fc1 packages from comment 13:

25bd4892803741666a926343779b27574c5e8cc0  mc-4.6.0-18.2.fc0.9.legacy.src.rpm
b9a0d1ff86e781389f113a4b24bcbca3a7365266  mc-4.6.0-18.2.fc1.0.legacy.src.rpm


fc1 package:
- - mc-cvs-uzip file removed is OK, as it was for an old version of mc - OK
- - changes to jumbo patch to remove mc-cvs-uzip part - OK
- - mc-4.6.0-extfs-quoted-security2b.patch matches upstream CVS - OK
- - mc-4.6.0-multi-CVE.patch was checked using debian patch and David's
  excellent worksheet as reference - OK
- - Builds and runs
- - Tastes great, less filling. :)

+PUBLISH


rh9 package:

- - rh9 is simply a rebuilt of the fc1 package

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCM8U7LMAs/0C4zNoRAnIqAJ4vF96NEYbJ2YQ65+s33VmuIRPVSgCfWLbs
KCXtEdNmCNb5A0Njz394Ow8=
=j2sq
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-03-12 18:45:23 ----

I'll do rh7.3 QA tomorrow...



------- Additional Comments From marcdeslauriers 2005-03-13 06:16:03 ----

Hi Leonard,

I'm doing QA on your 7.3 mc package.

There was an issue with autocomplete that needed a correction to be made to one
of the patches, I think this wasn't done in your packages. An I missing something?

https://bugzilla.fedora.us/show_bug.cgi?id=1548#c10




------- Additional Comments From michael 2005-03-15 20:23:08 ----

RPM extfs handling are broken too by last patches. Just try to enter into some
.rpm file - you won't see packaged files, only some files with package info.




------- Additional Comments From leonard.nl 2005-03-17 08:28:53 ----

Michael,

The functionality change you observe is not brokenness. 

In the old situation copying from the root was very expensive in costs of
performance. Just enter into CONTENS.cpio and look there.

Note that this has been the situation of RHL since the introduction of mc-4.6.0
(RHL 8.0?). Also this is the default behaviour in upstream mc.




------- Bug moved to this database by dkl 2005-03-30 18:31 -------

This bug previously known as bug 2405 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2405
Originally filed under the Fedora Legacy product and Package request component.
Bug blocks bug(s) 1548 2009.

Attachments:
Patches extracted from Debian Security Advisory
https://bugzilla.fedora.us/attachment.cgi?action=view&id=976
RHL 7.3: Fix for CAN-2004-0494 and CANs from this bug (.tar.gz)
https://bugzilla.fedora.us/attachment.cgi?action=view&id=986
Worksheet for Debian patches for mc-4.6.0 - .ps.gz
https://bugzilla.fedora.us/attachment.cgi?action=view&id=992
RH9 & FC1: Proposed patch for CAN-2004-{1004,1005,1176} vuls in mc-4.6.0
https://bugzilla.fedora.us/attachment.cgi?action=view&id=994
mc-4.6.0-18.2.fc1.0.legacy.spec - spec-file in .src.rpm for FC1
https://bugzilla.fedora.us/attachment.cgi?action=view&id=997

Unknown priority P2. Setting to default priority "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was leonard.nl.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Leonard den Ottolander 2005-04-06 12:46:14 UTC 
One more advisory for RHL 7.3: CAN-2005-0763, see bug 153982.
Comment 2 Leonard den Ottolander 2005-04-06 13:00:05 UTC 
David, could you be so kind to remove that "leonard at" address from this entry
and replace it with "leonard-rh-bugzilla at" please?
Comment 3 Dominic Hargreaves 2005-04-07 12:59:18 UTC 
I'd say just tackle the rh9/fc1 bugs here, then finish off the rh73 update
separately.
Comment 4 Leonard den Ottolander 2005-04-08 12:35:40 UTC 
One more issue. I've used the Debian patch for CAN-2004-0226, but there seem to
be some discrepancies between it and the original patch from Jakub (compare
Fedora legcay b 1548 c 10 & 15, this issue is not in the original patch).

I'll bring up these discrepancies for discussion once I've sorted them out.
Comment 5 Dominic Hargreaves 2005-04-08 15:40:17 UTC 
Packages as QA'd by Marc for rh9 and fc1 are on their way to updates-testing. Do
I need to abandon that?
Comment 6 Leonard den Ottolander 2005-04-08 19:13:19 UTC 
No. Those are fine (apart from the fact that the patches are in big blobs
instead of separated out). The real problems are with RHL 7.3 (mc-4.5.55).
Comment 7 Leonard den Ottolander 2005-04-08 19:36:36 UTC 
For RHL 7.3 I've decided to use the patch for CAN-2004-0226 from RHEL 2.1 as it
is more complete than the Debian patch. Apart from some fixing to get the
patches applied I also added a temp file fix for lib/cedit.menu that went into
CVS but is missing from RHEL 2.1.

The original patch is split out so we now have separate patches for
CAN-2004-0226, CAN-2004-0231 and CAN-2004-0232. Feel free to comment if you
think some of the hunks ended up in the wrong patch. The original CAN-2004-0226
patch also contained vfs/extfs quoting fixes which were later assigned
CAN-2004-0494.

There are a few hunks in the original patch that appear not to be security fixes
but I left them in as separate patches anyway (small ftpfs and fish fixes).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages fixing CAN-2004-0226, CAN-2004-0231, CAN-2004-0232, CAN-2004-0494
as well as the ten CAN issues from this report can be found at
http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-9.legacy.src.rpm
and
http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-9.legacy.i386.rpm .

a633d19f13591dc5c7f629ee0af49569  mc-4.5.55-9.legacy.src.rpm
38e67b66cf025ba7f2b2929e443b793d  mc-4.5.55-9.legacy.i386.rpm

* Fri Apr 08 2005 Leonard den Ottolander <leonard * den ottolander nl>
4.5.55-9.legacy
- - Use CAN-2004-0226 patch from RHEL 2.1 as it is more complete than the
  Debian patch.
- - Split original CAN-2004-0226 patch in 6 parts: CAN-2004-0226 (buffer
  overflows), CAN-2004-0231 (temp file fixes), CAN-2004-0232 (format string
  vulnerabilities), CAN-2004-0494 (vfs quoting fixes), ftpfs, and fish.
- - Add one modified hunk from Debian to src/complete.c (CAN-2004-0226)
- - Don't use CAN-2004-0494 parts from RHEL 2.1 CAN-2004-0226 patch as the
  current patch is more complete.
- - Rename mc-4.5.55-extfs.patch to mc-4.5.55-CAN-2004-0494.patch.
- - Removed some redundant hunks and fixed a few in CAN-2004-0494 patch. 
- - Add missing hunk for lib/cedit.menu to CAN-2004-0231 patch.
- - One cpio.c hunk removed from CAN-2004-1005 patch (already in -0226)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCVtzfm7FzjwvzBAsRAqOtAKDWttr3Hs679uEy2uwVaiVQs6/ipQCguLEm
647e4vjs/hIDhT+qAQeKxeE=
=kqI6
-----END PGP SIGNATURE-----
Comment 8 Mikhail Koshelev 2005-04-13 13:24:45 UTC 
Created attachment 113092 [details]
debian patch for CAN-2005-0763

Last Debian update includes patch for CAN-2005-0763. Attaching here.
Comment 9 Leonard den Ottolander 2005-04-13 15:14:04 UTC 
Michael, thanks for reminding me. I extracted that patch from the Debian patch
set but forgot to apply it. New rpms coming up.
Comment 10 Leonard den Ottolander 2005-04-13 15:25:47 UTC 
I already opened a bug report for this issue at bug 153982.

Ok, here are new testing rpms:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages fixing CAN-2004-0226, CAN-2004-0231, CAN-2004-0232, CAN-2004-0494,
CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091,
CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175, CAN-2004-1176
and CAN-2005-0763 can be found at
http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-10.legacy.src.rpm
and
http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-10.legacy.i386.rpm .

14b9a07a84f7d2a1a9d376032fbe2f8f  mc-4.5.55-10.legacy.src.rpm
20ccec65fe8ed40a782ba8f2bc3d1c40  mc-4.5.55-10.legacy.i386.rpm

* Wed Apr 13 2005 Leonard den Ottolander <leonard * den ottolander nl>
4.5.55-10.legacy
- - Add patch for CAN-2005-0763

* Fri Apr 08 2005 Leonard den Ottolander <leonard * den ottolander nl>
4.5.55-9.legacy
- - Use CAN-2004-0226 patch from RHEL 2.1 as it is more complete than the
  Debian patch.
- - Split original CAN-2004-0226 patch in 6 parts: CAN-2004-0226 (buffer
  overflows), CAN-2004-0231 (temp file fixes), CAN-2004-0232 (format string
  vulnerabilities), CAN-2004-0494 (vfs quoting fixes), ftpfs, and fish.
- - Add one modified hunk from Debian to src/complete.c (CAN-2004-0226)
- - Don't use CAN-2004-0494 parts from RHEL 2.1 CAN-2004-0226 patch as the
  current patch is more complete.
- - Rename mc-4.5.55-extfs.patch to mc-4.5.55-CAN-2004-0494.patch.
- - Removed some redundant hunks and fixed a few in CAN-2004-0494 patch. 
- - Add missing hunk for lib/cedit.menu to CAN-2004-0231 patch.
- - One cpio.c hunk removed from CAN-2004-1005 patch (already in -0226)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCXTkQm7FzjwvzBAsRAtm9AJ9jNn0cKhIGOoOsN/qMnCKlYNr3HwCg0Oc6
43rcl9X3DgymibNWH83k5nY=
=Ea5f
-----END PGP SIGNATURE-----
Comment 11 Mikhail Koshelev 2005-04-15 10:19:21 UTC 
Last testing package (mc-4.5.55-10.legacy) is broken. mc segfaults on file editing.
Steps to reproduce:
- istall rpm
- start mc (tested on root login)
- press F4 on any text file (for example /etc/hosts)
= immediate crash OR
= message "Error in file /root/.cedit/Syntax on line XXX"
- dissmiss message to enter editor
- press down key
= crash

Tested on RH73 clean install.
Comment 12 Leonard den Ottolander 2005-04-16 09:45:38 UTC 
Yes, I can immediately reproduce this. I'll have a look at the patches and see
if I can fix it.
Comment 13 Leonard den Ottolander 2005-04-16 09:56:47 UTC 
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
Core was generated by `/usr/bin/mc -P'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libslang.so.1...(no debugging symbols found)...
done.
Loaded symbols for /usr/lib/libslang.so.1
Reading symbols from /usr/lib/libgpm.so.1...(no debugging symbols found)...
done.
Loaded symbols for /usr/lib/libgpm.so.1
Reading symbols from /usr/lib/libglib-1.2.so.0...done.
Loaded symbols for /usr/lib/libglib-1.2.so.0
Reading symbols from /lib/libext2fs.so.2...done.
Loaded symbols for /lib/libext2fs.so.2
Reading symbols from /lib/libcom_err.so.2...done.
Loaded symbols for /lib/libcom_err.so.2
Reading symbols from /lib/libtermcap.so.2...done.
Loaded symbols for /lib/libtermcap.so.2
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /usr/lib/libncurses.so.5...done.
Loaded symbols for /usr/lib/libncurses.so.5
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
#0  0x4207a7eb in chunk_alloc () from /lib/i686/libc.so.6
(gdb) bt
#0  0x4207a7eb in chunk_alloc () from /lib/i686/libc.so.6
#1  0x4207a158 in malloc () from /lib/i686/libc.so.6
#2  0x0808a811 in getch ()
#3  0x0808aebe in getch ()
#4  0x0808b041 in getch ()
#5  0x080945c7 in getch ()
#6  0x0807bec1 in getch ()
#7  0x0807bf51 in getch ()
#8  0x0807db53 in getch ()
#9  0x0806bd41 in strcpy ()
#10 0x08065d67 in strcpy ()
#11 0x08065e6e in strcpy ()
#12 0x080661cd in strcpy ()
#13 0x08066297 in strcpy ()
#14 0x080808bf in getch ()
#15 0x08080a55 in getch ()
#16 0x0808159e in getch ()
#17 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
(gdb) quit
Comment 14 Leonard den Ottolander 2005-04-16 12:26:59 UTC 
Missed the removal of a strcat in gtkedit/syntax.c open_include_file(). Also
replaced a strcpy() by a g_strconcat() in the same function. And got rid of some
redundant -1s in strncpy()s in syntax.c. These are not in the Debian patch nor
in CVS as they are redundant.

Removing strcat() fixes the crash. New packages coming up.
Comment 15 Leonard den Ottolander 2005-04-16 12:37:32 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages fixing CAN-2004-0226, CAN-2004-0231, CAN-2004-0232, CAN-2004-0494,
CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091,
CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175, CAN-2004-1176
and CAN-2005-0763 can be found at
http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-11.legacy.src.rpm
and
http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-11.legacy.i386.rpm .

4bd22e99dd6aa0d9bd089b12a0e288e4  mc-4.5.55-11.legacy.src.rpm
35d0187221dab6f6b090210fafdb8a10  mc-4.5.55-11.legacy.i386.rpm

* Sat Apr 17 2005 Leonard den Ottolander <leonard * den ottolander nl>
4.5.55-11.legacy
- - Missed the removal of a strcat in gtkedit/syntax.c open_include_file() in
  CAN-2004-0226 causing crash in mcedit. Cleaned up syntax.c a bit more in
  accordance with the Debian patch and CVS (redundant -1s in strncpy()s)

* Wed Apr 13 2005 Leonard den Ottolander <leonard * den ottolander nl>
4.5.55-10.legacy
- - Add patch for CAN-2005-0763

* Fri Apr 08 2005 Leonard den Ottolander <leonard * den ottolander nl>
4.5.55-9.legacy
- - Use CAN-2004-0226 patch from RHEL 2.1 as it is more complete than the
  Debian patch.
- - Split original CAN-2004-0226 patch in 6 parts: CAN-2004-0226 (buffer
  overflows), CAN-2004-0231 (temp file fixes), CAN-2004-0232 (format string
  vulnerabilities), CAN-2004-0494 (vfs quoting fixes), ftpfs, and fish.
- - Add one modified hunk from Debian to src/complete.c (CAN-2004-0226)
- - Don't use CAN-2004-0494 parts from RHEL 2.1 CAN-2004-0226 patch as the
  current patch is more complete.
- - Rename mc-4.5.55-extfs.patch to mc-4.5.55-CAN-2004-0494.patch.
- - Removed some redundant hunks and fixed a few in CAN-2004-0494 patch. 
- - Add missing hunk for lib/cedit.menu to CAN-2004-0231 patch.
- - One cpio.c hunk removed from CAN-2004-1005 patch (already in -0226)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCYQX8m7FzjwvzBAsRAiymAJ4j8TzD0pkATnRzmbEwFnuAmrmeswCffH/V
ryvCY4BNkpwsM8So1OX95gM=
=uhGE
-----END PGP SIGNATURE-----
Comment 16 Dominic Hargreaves 2005-04-28 21:07:43 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Candidate package for rh9 and fc1.

331bcec08ee0a3bf47b6b5651ce2a27816f8ec30  redhat/9/updates-testing/SRPMS/mc-4.6.
0-18.2.fc0.9.legacy.src.rpm
1ff0fb79aab253a3c7fe4a6324dc2402c6b8f437  redhat/9/updates-testing/i386/mc-4.6.0
-18.2.fc0.9.legacy.i386.rpm
529796f562e9e49739170ad86bc427a45a5d2f05  fedora/1/updates-testing/SRPMS/mc-4.6.
0-18.2.fc1.0.legacy.src.rpm
f5959c3196abe94223f9d43b4b78f78c88c98554  fedora/1/updates-testing/i386/mc-4.6.0
-18.2.fc1.0.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCcVB6YzuFKFF44qURArMjAKD00/ncHDwQtrVgu69QC3ypQfDxXwCffZe/
FC8Kn0o4dLv/SvQOJxsFwHU=
=F+WQ
-----END PGP SIGNATURE-----
Comment 17 Marc Deslauriers 2005-05-08 20:14:37 UTC 
*** Bug 153982 has been marked as a duplicate of this bug. ***
Comment 18 Leonard den Ottolander 2005-05-11 10:23:24 UTC 
CAN-2005-0763 only affects RHL 7.3.
Comment 19 Pekka Savola 2005-05-16 12:02:31 UTC 
*** Bug 152705 has been marked as a duplicate of this bug. ***
Comment 20 Pekka Savola 2005-05-16 12:03:07 UTC 
*** Bug 152770 has been marked as a duplicate of this bug. ***
Comment 21 Jim Popovitch 2005-07-10 23:02:36 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++PUBLISH RHL 7,3

Kudos to Leonard for working though all these mc issues and providing all the
fixes for 7.3.  Thanks!

a8a885c4d1b456c11ac5ee76befe7b97d5f957d8  mc-4.5.55-11.legacy.i386.rpm

Works as expected.

- -Jim P.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC0ak+MyG7U7lo69MRAm3aAJ9F3hD0teBqZ0OatkEUmNnJe8RSwACgm1VU
TDHrw1PE75cDpzPSATNU/3c=
=jDnZ
-----END PGP SIGNATURE-----
Comment 22 Marc Deslauriers 2005-07-12 23:33:28 UTC 
7.3 packages were pushed to updates-testing.
Comment 23 Marc Deslauriers 2005-07-13 12:08:37 UTC 
*** Bug 148865 has been marked as a duplicate of this bug. ***
Comment 24 Marc Deslauriers 2005-07-13 12:10:20 UTC 
This bug tracks the fc2 packages also.
Comment 25 David Eisenstein 2005-07-29 00:23:50 UTC 
Created attachment 117257 [details]
Difference between my .i386.rpm and updates-testing

The attachment is the diff -u of my .i386.rpm and FL's in updates-testing.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I downloaded the binary FC1 package,

     SHA1SUM					PACKAGE 
f5959c3196abe94223f9d43b4b78f78c88c98554 
fedora/1/updates-testing/i386/mc-4.6.0-18.2.fc1.0.legacy.i386.rpm,

from http://download.fedoralegacy.org/, as was posted in the FL Update Test
Update Notification FEDORALEGACY-2005-152889, at
  <http://www.redhat.com/archives/fedora-legacy-list/2005-July/msg00039.html>.

I haven't yet loaded it into my machine to test, but doing a comparison of
this binary package with the binary package I produced (when I created the
.src.rpm) yields some problems.  It is my guess that all of the problems are
due to missing dependencies when the binary package is created in the build
environment.

Summary:  To build correctly (for at least FC1), mc may need:

  1)  the groff package (but not a show-stopper), and
  2)  the gnome-libs package.

Details (with many thanks to Charles Anderson for his rpm-build-compare.sh
script):

  1)  /usr/share/mc/mc.ext, lines 151-152 & others.
      In the rpm in updates-testing, the "Open" line in mc.ext for manpages
      calls nroff with merely a "-man" argument, rather than the arguments
      "-c -Tlatin1 -mandoc".  I think this is due to files missing when the
      groff package is not present on the build system.  There are also other
      "roff" "groff" "nroff" extensions in mc.ext that appear to have incor-
      rect arguments (see attachment).	For example,

-
------------------------------------------------------------------------------
- --- mc-4.6.0-18.2.fc1.0.legacy.dde.i386.rpm-root/usr/share/mc/mc.ext 
2005-07-14 03:59:23.000000000 -0500
+++ mc-4.6.0-18.2.fc1.0.legacy.i386.rpm-root/usr/share/mc/mc.ext       
2005-07-14 03:59:24.000000000 -0500
@@ -149,8 +149,8 @@
	View=%view{ascii} file %f && nm %f
 
 regex/(([^0-9]|^[^\.]*)\.([1-9][a-z]?|n)|\.man)$
- -	Open=nroff -c -Tlatin1 -mandoc %f | %var{PAGER:more}
- -	View=%view{ascii,nroff} nroff -c -Tlatin1 -mandoc %f
+	Open=nroff  -man %f | %var{PAGER:more}
+	View=%view{ascii,nroff} nroff  -man %f
 
 # Troff with me macros.
 # Exception - "read.me" is not a nroff file.
-
------------------------------------------------------------------------------
 
  2)  Line 304 of /usr/share/mc/mc.ext (for the .htm and .html file
      extensions), is buggy and will not properly open a browser window
      when running X-Windows (or GNOME or KDE).  It is missing the
      "gnome-moz-remote" command, which is supplied in the gnome-libs
      package.

-
------------------------------------------------------------------------------
@@ -300,7 +300,7 @@
 
 # html
 regex/\.([Hh]tml?|HTML?)$
- -	Open=if test -n "gnome-moz-remote" && test -n "$DISPLAY"; then
(gnome-moz-remote file://%d/%p &) >/dev/null 2>&1; else links %f 2>/dev/null ||
lynx -force_html %f; fi
+	Open=if test -n "" && test -n "$DISPLAY"; then ( file://%d/%p &)
>/dev/null 2>&1; else links %f 2>/dev/null || lynx -force_html %f; fi
	View=%view{ascii} lynx -dump -force_html %f
 
 # StarOffice 5.2
-
------------------------------------------------------------------------------
 
		-David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFC6XLsxou1V/j9XZwRAkw6AJ0R052Z34FCn2nRwNQIk69ApURNSgCgw9Uk
xQ9Rv30pwXiPnG6jdx07918=
=QIzt
-----END PGP SIGNATURE-----
Comment 26 Marc Deslauriers 2005-07-29 02:15:10 UTC 
Thanks for the report David. Updated packages are being pushed to
updates-testing right now.
Comment 27 David Eisenstein 2005-07-29 03:19:11 UTC 
Created attachment 117261 [details]
PGP-signed portion of comment 25

Enclosed attachment duplicates the PGP-signed portion of comment 25, since
pasting that into the comment box broke the message & signature.  I'll try
to be more careful next time.  I wish bugzilla had a "preview" button in
addition to a "submit" button.	 -David
Comment 28 Gilbert Sebenste 2005-08-03 15:35:09 UTC 
+VERIFY for FC1.
Comment 29 Pekka Savola 2005-08-04 20:42:14 UTC 
Any other verifies, please?

(I'll count Gilbert's as one, though unsigned, but won't start a timeout yet..)
Comment 30 Jim Popovitch 2005-08-04 23:10:39 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+VERIFY for 7.3

Works like a champ.

7dd653902f620c9ab66fc187c92e1e8c70af4b6f  mc-4.5.55-12.legacy.i386.rpm

- -Jim P.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC8p/3MyG7U7lo69MRAo4ZAKCA0vsFPaS6U4+dnSRy1ZHgpgzacwCfeMFX
I1/AQXxrisHl9eVvKpKVWaY=
=V2AL
-----END PGP SIGNATURE-----
Comment 31 Pekka Savola 2005-08-05 06:42:47 UTC 
Thanks!
Comment 32 Jeff Sheltren 2005-08-06 05:40:07 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify for RH9 and FC2 packages:

82c7263b65d3959003c6043131dad7248fa7c40e  mc-4.6.0-18.3.fc0.9.legacy.i386.rpm
a8270921b5ded8b829c7fda54d7bac77145df129  mc-4.6.1-0.13.FC2.1.legacy.i386.rpm

Signature OK
Installs OK
mc binary runs OK

RH9 VERIFY++
FC2 VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC9E1DKe7MLJjUbNMRAvSHAKCcgv5pIVqzgaJ89F5FBvpM9edMwACgpq32
L7UCEf4e8UQIcik0vrhnV3U=
=F5/w
-----END PGP SIGNATURE-----
Comment 33 Marc Deslauriers 2005-08-10 23:49:57 UTC 
Packages were finally released! Hurrah! :)
Comment 34 Marc Deslauriers 2005-08-15 12:13:36 UTC 
*** Bug 127973 has been marked as a duplicate of this bug. ***