Multiple vulnerabilities in mc-4.5.55 and before. I'll have to check to see if this affects mc-4.6.0 as well. Also see bug 2009 (CAN-2004-0494) and bug 1548 (CAN-2004-0226, CAN-2004-0231 and CAN-2004-0232). ------- Additional Comments From leonard.nl 2005-01-30 04:53:12 ---- Created an attachment (id=976) Patches extracted from Debian Security Advisory ------- Additional Comments From leonard.nl 2005-02-05 02:34:17 ---- Created an attachment (id=986) Fix for CAN-2004-0494 and CANs from this bug SPEC file and patches to drop in a mc-4.5.55-6.legacy build tree. Fix for CAN-2004-0494 (bug 2009) and all CANs mentioned in this report. If a signed SRPM and/or RPM is preferred I can attach those. ------- Additional Comments From leonard.nl 2005-02-05 02:50:45 ---- SuSE today released an update for mc that contains at least patches for CAN-2004-1004, CAN-2004-1005 and CAN-2004-1176. These also affect RHL 9 and FC 1. ------- Additional Comments From leonard.nl 2005-02-06 01:57:37 ---- Packages fixing CAN-2004-0494 as well as the ten CAN issues from this report can be found at http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-7.legacy.src.rpm and http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-7.legacy.i386.rpm . ------- Additional Comments From leonard.nl 2005-02-06 02:33:13 ---- Above patch misses some hunks for urar. I'll update this soon. Above rpms will temporarily be removed and replaced with correct versions with the same version number in a few days. ------- Additional Comments From leonard.nl 2005-02-09 08:21:31 ---- Ok. Added the urar parts to the patch for bug 2009. Above RPMS (with same version number) are available again. This should wrap up *all* known mc issues for RHL 7.3. ------- Additional Comments From deisenst 2005-02-10 09:38:22 ---- Created an attachment (id=992) Worksheet for all Debian patches for these CVEs - .ps.gz The enclosed worksheet details what needs patching and what does not in mc.4.6.0. Here are salient points regarding the Debian patches that fix all of these CVE's with regards to updating C source code in the patched sources of mc-4.6.0-17.fc1 (as published by Red Hat on 1-Sep-2004): (CVS release numbers of source code noted in <>'s below). * CAN-2004-1004 -- Vulnerable. Patch needed for mc 4.6.0's - vfs/fish.c <1.60>. (Upstream patch from vfs/fish.c <1.96>.) * CAN-2004-1005 -- Vulnerable. Patch needed for mc 4.6.0's: - src/utilunix.c <1.53> -- patch from upstream <1.76> - vfs/sfs.c <1.41> -- patch from upstream <1.59> - vfs/cpio.c <1.29>. -- patch from upstream <1.49> * CAN-2004-1176 -- Vulnerable. Patch needed for 4.6.0's: - vfs/extfs.c <1.66> -- patch from upstreadm <1.100> * Not vulnerable -- CAN-2004-{1009,1090,1091,1092,1174,1175}. ------- Additional Comments From leonard.nl 2005-02-10 13:53:42 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages fixing CAN-2004-0494 as well as the ten CAN issues from this report can be found at http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-7.legacy.src.rpm and http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-7.legacy.i386.rpm . 5ebd7bf563d56fe8035953a277260cc4ae78199a mc-4.5.55-7.legacy.i386.rpm 7ba94aba68176a97443ff7474ef7906b932a4e78 mc-4.5.55-7.legacy.src.rpm * Wed Feb 09 2005 Leonard den Ottolander <leonard * den ottolander nl> 4.5.55-7.legacy - - Fixed extfs for quoting and some temp file issues (CAN-2004-0494). - - Removed mc-cvs-uzip as it is no longer needed with above fixes. - - trpm and zip fixes are unneeded but left in as the patch was made against a tree that has them applied. - - Added fixes for CAN-2004-0226, CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175 & CAN-2004-1176. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFCC/Nsm7FzjwvzBAsRAmwcAJ4/zQ7NZFeNFnGB8mwxI4dvwwGDnwCePZyy yE1GPctyJNu7v922Hnk141o= =ga8z -----END PGP SIGNATURE----- ------- Additional Comments From leonard.nl 2005-02-10 14:02:58 ---- Following lines wrap but shouldn't to validate the checksum. Replace the newline with a space in these lines and the checksum should be ok. * Wed Feb 09 2005 Leonard den Ottolander <leonard * den ottolander nl> 4.5.55-7.legacy - - Added fixes for CAN-2004-0226, CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, ------- Additional Comments From deisenst 2005-02-11 19:29:15 ---- Created an attachment (id=994) RH9 & FC1: Proposed patch for CAN-2004-{1004,1005,1176} vuls in mc-4.6.0 Proposed patch for (RH9 & FC1) CAN-2004-{1004,1005,1176}, to fix the remaining vulnerabilities that have not already been patched in mc-4.6.0, per Debian's DSA-639. ------- Additional Comments From leonard.nl 2005-02-12 01:48:01 ---- I would keep the patches separate. This makes it more obvious from the SPEC file which issues have been fixed. ------- Additional Comments From deisenst 2005-02-14 03:53:04 ---- Created an attachment (id=997) mc-4.6.0-18.2.fc1.0.legacy.spec - spec-file in .src.rpm for FC1 To answer the concern in comment 11 -- well, as one can see from attachment 994, the list of what hunk patches for what CVE vulnerability is spelled out at the top of that patch file. The spec file (enclosed) also lists in the changelog what CVE's are being fixed in mc-4.6.0-multi-CVE.patch. Since I've already built .src.rpm's, my temptation is not to break out the mc-4.6.0-multi-CVE.patch into separate files at this time, unless I hear further objections. The .src.rpm for FC1 (in forthcoming Comment 13) compiles cleanly and runs well on my system. ------- Additional Comments From deisenst 2005-02-14 03:58:20 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are packages to QA for RH9 and FC1 that fix the issues in Fedora Legacy Bug 2009 and Bug 2405. Changelogs: rh9: * Sat Feb 12 2005 David Eisenstein <deisenst> 1:4.6.0-18.2.fc0.9.legacy - - rebuild SRPM for RH9. (FL bugzilla #2009, 2405). (rest of changelog is same as FC1, since they use the same sources) fc1: * Fri Feb 11 2005 David Eisenstein <deisenst> 1:4.6.0-18.2.fc1.0.legacy - - Add mc-4.6.0-multi-CVE.patch which completes the fixes for CAN-2004-1004, CAN-2004-1005, and CAN-2004-1176. Source of these patches are from Debian, (DSA-639) and ultimately from the mc CVS tree. - - FL Bugzilla #2405. * Sun Feb 06 2005 David Eisenstein <deisenst> 1:4.6.0-18.1.fc1.0.legacy - - Per Leonard den Ottolander, get rid of mc-cvs-uzip. Required removing a hunk from mc-4.6.0-jumbo.patch, now renamed mc-4.6.0-jumbo-b.patch. - - Use revised quoted-security2 patch, less drastic changes to uzip.in in extfs directory for vulnerability CAN-2004-0494. FL bugzilla #2009. * Fri Jan 28 2005 David Eisenstein <deisenst> 1:4.6.0-18.0.fc1.0.legacy - - Update extfs shell quoting fixes in scripts (CAN-2004-0494) to match scripts in upstream's cvs. This takes care of fixes missed in Fedora update FEDORA-2004-272. - - Fedora Legacy bugzilla # 2009. SHA1SUM Package Name ======================================== ================================ rh9: 25bd4892803741666a926343779b27574c5e8cc0 mc-4.6.0-18.2.fc0.9.legacy.src.rpm fc1: b9a0d1ff86e781389f113a4b24bcbca3a7365266 mc-4.6.0-18.2.fc1.0.legacy.src.rpm Download URLs: - -------------- rh9: http://www-astro.physics.ox.ac.uk/~dom/legacy/contrib/mc-4.6.0-18.2.fc0.9.legacy.src.rpm fc1: http://www-astro.physics.ox.ac.uk/~dom/legacy/contrib/mc-4.6.0-18.2.fc1.0.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFCEKmdxou1V/j9XZwRAtryAKCQxrIdrZkGRV6TkB1UQpFs0MslIwCgrrk9 TKUnlJiy7DCbTdPy8il0XNE= =LQPR -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2005-02-14 06:17:39 ---- Taking a cursory look into the mc-4.5.55-7.legacy.src.rpm of comment 8, I cannot find patches for CAN-2004-{0226, 0231, nor 0232}. This .src.rpm does not seem to be based on the most recent .src.rpm available here among our tree of mc bugs -- Bug 1548, Bug 2009 and this one. On 9/4/2004 in Bug 2009 comment 8, Marc Deslauriers published mc-4.5.55-9.legacy.src.rpm. That package should have taken care of all issues in bug 1548 (CAN-2004-0226, CAN-2004-0231, CAN-2004-0232, basing its patches on Debian patches with a Fedora-Legacy-specific tab-completion fix, if I read the bug history right) also including an incomplete fix of the VFS/extfs code. I suggest packages for RH 7.3 be started from Marc's mc-4.5.55-9 package, rather than Red Hat's mc-4.5.55-5 package. Then add the (completed) vfs/ extfs fixes and then the fixes for CAN-2004-{1004, 1005, 1009, 1090, 1091, 1092 ,1093, 1174, 1175 and 1176}. Basing it on this package will also more accurately reflect in the changelog all the work Fedora Legacy people have done on this package. Regarding naming -- new RH7.3 packages probably ought to be numbered some- thing like mc-4.5.55-9.1 or mc-4.5.55-10, to reduce confusion between these newest packages and those already published in updates-testing and/or men- tioned in these bug reports. Fix these minor problems, and an mc-4.5.55-xxx package for RH7.3 ought to be good to go, fully patched! :-) ------- Additional Comments From leonard.nl 2005-02-14 11:25:41 ---- RPM from comment #8 is based on 4.5.55-6.legacy. I "temporarily" commented out patch 50 as there are conflicting hunks in this and the extfs patch. Sorry for that mistake. I'll fix (= remove) the offending (= doubled) hunks in vfs/extfs in (from) the CAN-2004-0226 (= also CAN-2004-0231 and 0232 IIRC) and add the remains to this SRPM. ------- Additional Comments From leonard.nl 2005-02-14 11:35:06 ---- Patch #51 (mc-4.5.55-CAN-2004-0226.patch): + patch -p1 -b --suffix .CAN-2004-0226 -s 1 out of 1 hunk FAILED -- saving rejects to file vfs/extfs/deb.in.rej 1 out of 1 hunk FAILED -- saving rejects to file vfs/extfs/uha.in.rej 5 out of 5 hunks FAILED -- saving rejects to file vfs/extfs/ulha.in.rej 1 out of 1 hunk FAILED -- saving rejects to file vfs/extfs/urar.in.rej error: Bad exit status from /var/tmp/rpm-tmp.41311 (%prep) Above hunks fail against the extfs patch that I applied first. Removing above hunks from the 0226 patch fixes the issue. Only vfs/extfs hunk remaining to be applied is for vfs/extfs/ucpio.in. I'll rename the patch mc-4.5.55-CAN-2004-0226-minus-extfs.patch and resubmit (S)RPMs thursday at the latest. ------- Additional Comments From leonard.nl 2005-02-14 11:49:31 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages fixing CAN-2004-0494 as well as the ten CAN issues from this report can be found at http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-8.legacy.src.rpm and http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-8.legacy.i386.rpm . e3e4a4208a83bf5157575affa344cf4ee74e91b2 mc-4.5.55-8.legacy.src.rpm 9746affb87c64427986ef345011a8ca68bb4dcd5 mc-4.5.55-8.legacy.i386.rpm %changelog * Mon Feb 14 2005 Leonard den Ottolander <leonard * den ottolander nl> 4.5.55-8.legacy - - Really apply remainder of CAN-2004-0226 patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFCERyVm7FzjwvzBAsRAuiuAJwKdts0ku2u/yVt4N+rImQ/aVqN1gCeL0wC wVSPItlR3JhaFclmD3DGp8w= =rUJ0 -----END PGP SIGNATURE----- ------- Additional Comments From leonard.nl 2005-02-14 11:54:54 ---- If you like to verify the validity of comment #17 please see http://www.ottolander.nl/opensource/srpms/rh73/verify-mc-4.5.55-8.txt ------- Additional Comments From jimpop 2005-02-20 20:20:34 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VERIFY+ RH73 9cf3e327cbd9b71980b6c1b0a0ca9889 mc-4.5.55-7.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCGX2Zuhh7yV/E9I4RAk2VAJ9ItJghR9uFSm4HVp8iXSGY385iRQCfbPks f3aXCty3xakbZX9JouS9qXU= =vbEU -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-03-01 04:43:27 ---- I did QA for RHL73. It was basically OK, except confusion about two patches. However, I could not find out where mc-4.5.55-extfs.patch comes from? This appears to be functionality enhancements which should be out of scope? mc-4.5.55-CAN-2004-0226-minus-extfs.patch is also missing fixes for vfs/extfs/{deb,uha,ulha,urar}.in which were in the Debian patch (similar compared to earlier package, mc-security_CAN-2004-0226.patch). What's the deal here? e3e4a4208a83bf5157575affa344cf4ee74e91b2 mc-4.5.55-8.legacy.src.rpm ------- Additional Comments From pekkas 2005-03-01 05:56:57 ---- I took a look at FC1/RHL9. Verifying the correctness of these patches seems to be very complicated. At least the Debian patches for those CANs are much more extensive than in #8. Is there an easier way of doing this, or some clear methodology to use? ------- Additional Comments From dom 2005-03-01 15:00:51 ---- The Debian security team generally does an excellent job of releasing high quality packages so I would have a reasonably high level of confidence in patches obtained from them. ------- Additional Comments From pekkas 2005-03-01 20:29:36 ---- Agree with #22. The issue was really how to verify those patches that clearly did not come from debian. For RHL73, about 10 patches were identical to Debian and those were fine with me. I was questioning the last 1 (or 2), and asking where to get the "reference" for 4.6.0. ------- Additional Comments From leonard.nl 2005-03-04 06:44:14 ---- Regarding the extfs patch: Indeed there are functional changes introduced. However, it is undoable to separate the functional changes from the security fixes. Hence the update to mc-4.6.1-PRE3 code. This patch originates from me as I've been very involved in upstream mc development in the last 3/4 year and I've been pushing most of these fixes into CVS there. I've discussed this issue extensively with Jindrich Novy, who agrees with me that an update to CVS was the only sane path to walk. Indeed, we both agree that an update to 4.6.1 for all platforms (including RHEL 2.1) is preferable once it is released. Regarding the multiple CAN issues reported by Andrew Somailov: The fixes for RHL 7.3 are taken literally from the Debian patches which are produced against mc-4.5.55. Other functional fixes that are in the Debian patch set have not been introduced. The main difference is that the Debian patch set is a big blob and I have separated out the essential patch parts. For RHL 9 and FC only three of these patches are still valid (CAN-2004-1004, CAN-2004-1005 and CAN-2004-1176). Please compare SuSE's updates for mc of the same version. They should apply cleanly. To summarize: All patches apart from the one for CAN-2004-0494 are taken from the Debian patch set. You can verify that. The fact that the Debian patch set does not contain a fix for CAN-2004-0494 is an ommission on the part of the Debian security team. ------- Additional Comments From leonard.nl 2005-03-04 06:54:19 ---- That of course should have been "Andrew Samoilov" :) . Please see the thread that started with http://mail.gnome.org/archives/mc-devel/2005-January/msg00063.html . And of course http://mail.gnome.org/archives/mc-devel/2005-January/msg00067.html . I hope this takes away any doubt, and if not, please have a look inside the Debian patch set to verify the used patches are identical. ------- Additional Comments From pekkas 2005-03-04 08:30:59 ---- So, when is 4.6.1 due then? I'm not sure if we can just upgrade to it especially on RHL73, but I don't use mc myself in any case. At present, I guess the only way to verify the patches would be to extract a diff against CVS and compare them, and I'd rather avoid this. (All debian packages except one is OK, but as said, there is significant extra patching.) ------- Additional Comments From leonard.nl 2005-03-04 12:40:44 ---- Pekka, I don't really understand what issues you are having. If you follow my pointers and look *inside* http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5.diff.gz you will see that I extracted only the relevant patches for these CAN issues. When 4.6.1 is due sadly remains a mystery as the maintainer is somewhat uncooperative. ------- Additional Comments From deisenst 2005-03-11 20:21:31 ---- Regarding comment #21: > Verifying the correctness of these patches seems to be very complicated. > ... > Is there an easier way of doing this, or some clear methodology to use? Perhaps I can help by explaining the methodology I used in discerning and creating the appropriate forward-ported patches for mc-4.6.0 from the back- ported patches for mc-4.5.55 that was created by the Debian maintainers from mc's CVS. Creating the patches for the multiple vulnerabilities CAN-2004-1004,1005, 1009,1090,1091,1092,1093,1174,1175,1176 was not complicated, it was merely tedious and time-consuming. It basically boiled down to this: 1. Debian DSA-639 defines and patches a number of vulnerabilities that were present in Debian's stable version of mc, namely, mc-4.5.55. From Debian's advisory, "Andrew V. Samoilov has noticed that several bugfixes which were applied to the source by upstream developers of mc, the midnight commander, ... were not backported to the current version of mc that Debian ships in their stable release." 2. The Red Hat 9 and Fedora Core 1 packages are all based upon mc-4.6.0, as patched up through September by Red Hat, and then further patched by me in Bug 2009 for CAN-2004-0494 extfs quoting vulnerabilities, that is, "mc-4.6.0-18.fc1.0.legacy". Many of the patches for Debian's mc-4.5.55 were already patched in the mc-4.6.0 + the further patches already applied by Red Hat in the .srpm to the mc-4.6.0 sources. 3. So basically, the problem was discerning which of these patches for Debian's mc-4.5.55 apply to the most recent mc-4.6.0 that Red Hat issued for Fedora Core 1, mc-4.6.0-17.fc1.src.rpm? 4. My methodology was to examine each individual patch-- 4a. The Debian developers provided a nice point-by-point changelog that listed all of the security fixes, file-by-file, along with the CVS version numbers upstream that fixed those bugs. You can find it in the file "mc-4.5.55/debian/changelog" that is created by Debian's metapatch file: http://security.debian.org/pool/updates/main/m/mc/mc_4.5.55-1.2woody5.diff.gz 4b. With that listing, and examining each individual file, I created the postscript-formattted spreadsheet (.ps.gz) you see in attachment 992, a summary of which is in comment #7. I took each bullet-point of the changelog and used that bullet-point to create a one-to-five-line section in the spreadsheet. 4c. By looking at the mc-4.6.0 code (unpacked from mc-4.6.0-18.fc1.0. legacy.src.rpm using "$ rpmbuild -bp", which unpacks the original tarball and applies the previous patches), and comparing that with the individual patches mentioned in the changelog, I was able to discern which patches had been applied and which had been discovered since mc-4.6.0 + Red Hat patches, therefore not yet applied. 4d. Something that helped double-check what patches would apply and which ones would not was the MC CVS itself. For example, as you can see in the first column of the spreadsheet (labeled "Debian's Description"), for the first item it says "Corrected format string problems [src/ utilunix.c <1.38>, vfs/fish.c <1.96>, CAN-2004-1004]." - For the first file, utilunix.c, the CVS version of that file that has the security fix for the format string problem is <1.38>. The CVS showed me that mc-4.6.0 is already using version <1.53> of src/utilunix.c (see column 4, "Source File Affected"). So mc-4.6.0 would likely already have the patch. (I looked at the code anyway to be sure. It does.) - For the second file, vfs/fish.c, the CVS version with the security fix is <1.96>. But mc-4.6.0 only has version <1.60> of vfs/fish.c; so it's likely that this patch needs to be applied. And it did, so that's how that line is marked (in salmon) in columns 5-6 of the spreadsheet. 5. It took a great deal of time to review the patches file-by-file (Midnight Commander helped a lot with that, though). If you feel the need to double-check all of that work, you may need to go through this kind of method. You could also choose to spot-check a few that I claim don't apply and some or all that I claim do apply. That is up to you. Hope this helped. ------- Additional Comments From leonard.nl 2005-03-12 10:37:59 ---- The patches that David found to apply to mc-4.6.0 happen to be the same patches that the SuSE security team found to apply to mc-4.6.0 (SuSE 9.0). Although I haven't checked these by hand I am confident David's conclusion as to which patches are applicable to mc-4.6.0 is correct. ------- Additional Comments From marcdeslauriers 2005-03-12 18:44:52 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the rh9 and fc1 packages from comment 13: 25bd4892803741666a926343779b27574c5e8cc0 mc-4.6.0-18.2.fc0.9.legacy.src.rpm b9a0d1ff86e781389f113a4b24bcbca3a7365266 mc-4.6.0-18.2.fc1.0.legacy.src.rpm fc1 package: - - mc-cvs-uzip file removed is OK, as it was for an old version of mc - OK - - changes to jumbo patch to remove mc-cvs-uzip part - OK - - mc-4.6.0-extfs-quoted-security2b.patch matches upstream CVS - OK - - mc-4.6.0-multi-CVE.patch was checked using debian patch and David's excellent worksheet as reference - OK - - Builds and runs - - Tastes great, less filling. :) +PUBLISH rh9 package: - - rh9 is simply a rebuilt of the fc1 package +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCM8U7LMAs/0C4zNoRAnIqAJ4vF96NEYbJ2YQ65+s33VmuIRPVSgCfWLbs KCXtEdNmCNb5A0Njz394Ow8= =j2sq -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-12 18:45:23 ---- I'll do rh7.3 QA tomorrow... ------- Additional Comments From marcdeslauriers 2005-03-13 06:16:03 ---- Hi Leonard, I'm doing QA on your 7.3 mc package. There was an issue with autocomplete that needed a correction to be made to one of the patches, I think this wasn't done in your packages. An I missing something? https://bugzilla.fedora.us/show_bug.cgi?id=1548#c10 ------- Additional Comments From michael 2005-03-15 20:23:08 ---- RPM extfs handling are broken too by last patches. Just try to enter into some .rpm file - you won't see packaged files, only some files with package info. ------- Additional Comments From leonard.nl 2005-03-17 08:28:53 ---- Michael, The functionality change you observe is not brokenness. In the old situation copying from the root was very expensive in costs of performance. Just enter into CONTENS.cpio and look there. Note that this has been the situation of RHL since the introduction of mc-4.6.0 (RHL 8.0?). Also this is the default behaviour in upstream mc. ------- Bug moved to this database by dkl 2005-03-30 18:31 ------- This bug previously known as bug 2405 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2405 Originally filed under the Fedora Legacy product and Package request component. Bug blocks bug(s) 1548 2009. Attachments: Patches extracted from Debian Security Advisory https://bugzilla.fedora.us/attachment.cgi?action=view&id=976 RHL 7.3: Fix for CAN-2004-0494 and CANs from this bug (.tar.gz) https://bugzilla.fedora.us/attachment.cgi?action=view&id=986 Worksheet for Debian patches for mc-4.6.0 - .ps.gz https://bugzilla.fedora.us/attachment.cgi?action=view&id=992 RH9 & FC1: Proposed patch for CAN-2004-{1004,1005,1176} vuls in mc-4.6.0 https://bugzilla.fedora.us/attachment.cgi?action=view&id=994 mc-4.6.0-18.2.fc1.0.legacy.spec - spec-file in .src.rpm for FC1 https://bugzilla.fedora.us/attachment.cgi?action=view&id=997 Unknown priority P2. Setting to default priority "normal". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was leonard.nl. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
One more advisory for RHL 7.3: CAN-2005-0763, see bug 153982.
David, could you be so kind to remove that "leonard at" address from this entry and replace it with "leonard-rh-bugzilla at" please?
I'd say just tackle the rh9/fc1 bugs here, then finish off the rh73 update separately.
One more issue. I've used the Debian patch for CAN-2004-0226, but there seem to be some discrepancies between it and the original patch from Jakub (compare Fedora legcay b 1548 c 10 & 15, this issue is not in the original patch). I'll bring up these discrepancies for discussion once I've sorted them out.
Packages as QA'd by Marc for rh9 and fc1 are on their way to updates-testing. Do I need to abandon that?
No. Those are fine (apart from the fact that the patches are in big blobs instead of separated out). The real problems are with RHL 7.3 (mc-4.5.55).
For RHL 7.3 I've decided to use the patch for CAN-2004-0226 from RHEL 2.1 as it is more complete than the Debian patch. Apart from some fixing to get the patches applied I also added a temp file fix for lib/cedit.menu that went into CVS but is missing from RHEL 2.1. The original patch is split out so we now have separate patches for CAN-2004-0226, CAN-2004-0231 and CAN-2004-0232. Feel free to comment if you think some of the hunks ended up in the wrong patch. The original CAN-2004-0226 patch also contained vfs/extfs quoting fixes which were later assigned CAN-2004-0494. There are a few hunks in the original patch that appear not to be security fixes but I left them in as separate patches anyway (small ftpfs and fish fixes). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages fixing CAN-2004-0226, CAN-2004-0231, CAN-2004-0232, CAN-2004-0494 as well as the ten CAN issues from this report can be found at http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-9.legacy.src.rpm and http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-9.legacy.i386.rpm . a633d19f13591dc5c7f629ee0af49569 mc-4.5.55-9.legacy.src.rpm 38e67b66cf025ba7f2b2929e443b793d mc-4.5.55-9.legacy.i386.rpm * Fri Apr 08 2005 Leonard den Ottolander <leonard * den ottolander nl> 4.5.55-9.legacy - - Use CAN-2004-0226 patch from RHEL 2.1 as it is more complete than the Debian patch. - - Split original CAN-2004-0226 patch in 6 parts: CAN-2004-0226 (buffer overflows), CAN-2004-0231 (temp file fixes), CAN-2004-0232 (format string vulnerabilities), CAN-2004-0494 (vfs quoting fixes), ftpfs, and fish. - - Add one modified hunk from Debian to src/complete.c (CAN-2004-0226) - - Don't use CAN-2004-0494 parts from RHEL 2.1 CAN-2004-0226 patch as the current patch is more complete. - - Rename mc-4.5.55-extfs.patch to mc-4.5.55-CAN-2004-0494.patch. - - Removed some redundant hunks and fixed a few in CAN-2004-0494 patch. - - Add missing hunk for lib/cedit.menu to CAN-2004-0231 patch. - - One cpio.c hunk removed from CAN-2004-1005 patch (already in -0226) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFCVtzfm7FzjwvzBAsRAqOtAKDWttr3Hs679uEy2uwVaiVQs6/ipQCguLEm 647e4vjs/hIDhT+qAQeKxeE= =kqI6 -----END PGP SIGNATURE-----
Created attachment 113092 [details] debian patch for CAN-2005-0763 Last Debian update includes patch for CAN-2005-0763. Attaching here.
Michael, thanks for reminding me. I extracted that patch from the Debian patch set but forgot to apply it. New rpms coming up.
I already opened a bug report for this issue at bug 153982. Ok, here are new testing rpms: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages fixing CAN-2004-0226, CAN-2004-0231, CAN-2004-0232, CAN-2004-0494, CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175, CAN-2004-1176 and CAN-2005-0763 can be found at http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-10.legacy.src.rpm and http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-10.legacy.i386.rpm . 14b9a07a84f7d2a1a9d376032fbe2f8f mc-4.5.55-10.legacy.src.rpm 20ccec65fe8ed40a782ba8f2bc3d1c40 mc-4.5.55-10.legacy.i386.rpm * Wed Apr 13 2005 Leonard den Ottolander <leonard * den ottolander nl> 4.5.55-10.legacy - - Add patch for CAN-2005-0763 * Fri Apr 08 2005 Leonard den Ottolander <leonard * den ottolander nl> 4.5.55-9.legacy - - Use CAN-2004-0226 patch from RHEL 2.1 as it is more complete than the Debian patch. - - Split original CAN-2004-0226 patch in 6 parts: CAN-2004-0226 (buffer overflows), CAN-2004-0231 (temp file fixes), CAN-2004-0232 (format string vulnerabilities), CAN-2004-0494 (vfs quoting fixes), ftpfs, and fish. - - Add one modified hunk from Debian to src/complete.c (CAN-2004-0226) - - Don't use CAN-2004-0494 parts from RHEL 2.1 CAN-2004-0226 patch as the current patch is more complete. - - Rename mc-4.5.55-extfs.patch to mc-4.5.55-CAN-2004-0494.patch. - - Removed some redundant hunks and fixed a few in CAN-2004-0494 patch. - - Add missing hunk for lib/cedit.menu to CAN-2004-0231 patch. - - One cpio.c hunk removed from CAN-2004-1005 patch (already in -0226) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFCXTkQm7FzjwvzBAsRAtm9AJ9jNn0cKhIGOoOsN/qMnCKlYNr3HwCg0Oc6 43rcl9X3DgymibNWH83k5nY= =Ea5f -----END PGP SIGNATURE-----
Last testing package (mc-4.5.55-10.legacy) is broken. mc segfaults on file editing. Steps to reproduce: - istall rpm - start mc (tested on root login) - press F4 on any text file (for example /etc/hosts) = immediate crash OR = message "Error in file /root/.cedit/Syntax on line XXX" - dissmiss message to enter editor - press down key = crash Tested on RH73 clean install.
Yes, I can immediately reproduce this. I'll have a look at the patches and see if I can fix it.
GNU gdb Red Hat Linux (5.2-2) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... Core was generated by `/usr/bin/mc -P'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libslang.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libslang.so.1 Reading symbols from /usr/lib/libgpm.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libgpm.so.1 Reading symbols from /usr/lib/libglib-1.2.so.0...done. Loaded symbols for /usr/lib/libglib-1.2.so.0 Reading symbols from /lib/libext2fs.so.2...done. Loaded symbols for /lib/libext2fs.so.2 Reading symbols from /lib/libcom_err.so.2...done. Loaded symbols for /lib/libcom_err.so.2 Reading symbols from /lib/libtermcap.so.2...done. Loaded symbols for /lib/libtermcap.so.2 Reading symbols from /lib/i686/libc.so.6...done. Loaded symbols for /lib/i686/libc.so.6 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/i686/libm.so.6...done. Loaded symbols for /lib/i686/libm.so.6 Reading symbols from /usr/lib/libncurses.so.5...done. Loaded symbols for /usr/lib/libncurses.so.5 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /lib/libnss_nisplus.so.2...done. Loaded symbols for /lib/libnss_nisplus.so.2 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 #0 0x4207a7eb in chunk_alloc () from /lib/i686/libc.so.6 (gdb) bt #0 0x4207a7eb in chunk_alloc () from /lib/i686/libc.so.6 #1 0x4207a158 in malloc () from /lib/i686/libc.so.6 #2 0x0808a811 in getch () #3 0x0808aebe in getch () #4 0x0808b041 in getch () #5 0x080945c7 in getch () #6 0x0807bec1 in getch () #7 0x0807bf51 in getch () #8 0x0807db53 in getch () #9 0x0806bd41 in strcpy () #10 0x08065d67 in strcpy () #11 0x08065e6e in strcpy () #12 0x080661cd in strcpy () #13 0x08066297 in strcpy () #14 0x080808bf in getch () #15 0x08080a55 in getch () #16 0x0808159e in getch () #17 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6 (gdb) quit
Missed the removal of a strcat in gtkedit/syntax.c open_include_file(). Also replaced a strcpy() by a g_strconcat() in the same function. And got rid of some redundant -1s in strncpy()s in syntax.c. These are not in the Debian patch nor in CVS as they are redundant. Removing strcat() fixes the crash. New packages coming up.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages fixing CAN-2004-0226, CAN-2004-0231, CAN-2004-0232, CAN-2004-0494, CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175, CAN-2004-1176 and CAN-2005-0763 can be found at http://www.ottolander.nl/opensource/srpms/rh73/mc-4.5.55-11.legacy.src.rpm and http://www.ottolander.nl/opensource/rpms/rh73/mc-4.5.55-11.legacy.i386.rpm . 4bd22e99dd6aa0d9bd089b12a0e288e4 mc-4.5.55-11.legacy.src.rpm 35d0187221dab6f6b090210fafdb8a10 mc-4.5.55-11.legacy.i386.rpm * Sat Apr 17 2005 Leonard den Ottolander <leonard * den ottolander nl> 4.5.55-11.legacy - - Missed the removal of a strcat in gtkedit/syntax.c open_include_file() in CAN-2004-0226 causing crash in mcedit. Cleaned up syntax.c a bit more in accordance with the Debian patch and CVS (redundant -1s in strncpy()s) * Wed Apr 13 2005 Leonard den Ottolander <leonard * den ottolander nl> 4.5.55-10.legacy - - Add patch for CAN-2005-0763 * Fri Apr 08 2005 Leonard den Ottolander <leonard * den ottolander nl> 4.5.55-9.legacy - - Use CAN-2004-0226 patch from RHEL 2.1 as it is more complete than the Debian patch. - - Split original CAN-2004-0226 patch in 6 parts: CAN-2004-0226 (buffer overflows), CAN-2004-0231 (temp file fixes), CAN-2004-0232 (format string vulnerabilities), CAN-2004-0494 (vfs quoting fixes), ftpfs, and fish. - - Add one modified hunk from Debian to src/complete.c (CAN-2004-0226) - - Don't use CAN-2004-0494 parts from RHEL 2.1 CAN-2004-0226 patch as the current patch is more complete. - - Rename mc-4.5.55-extfs.patch to mc-4.5.55-CAN-2004-0494.patch. - - Removed some redundant hunks and fixed a few in CAN-2004-0494 patch. - - Add missing hunk for lib/cedit.menu to CAN-2004-0231 patch. - - One cpio.c hunk removed from CAN-2004-1005 patch (already in -0226) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFCYQX8m7FzjwvzBAsRAiymAJ4j8TzD0pkATnRzmbEwFnuAmrmeswCffH/V ryvCY4BNkpwsM8So1OX95gM= =uhGE -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Candidate package for rh9 and fc1. 331bcec08ee0a3bf47b6b5651ce2a27816f8ec30 redhat/9/updates-testing/SRPMS/mc-4.6. 0-18.2.fc0.9.legacy.src.rpm 1ff0fb79aab253a3c7fe4a6324dc2402c6b8f437 redhat/9/updates-testing/i386/mc-4.6.0 -18.2.fc0.9.legacy.i386.rpm 529796f562e9e49739170ad86bc427a45a5d2f05 fedora/1/updates-testing/SRPMS/mc-4.6. 0-18.2.fc1.0.legacy.src.rpm f5959c3196abe94223f9d43b4b78f78c88c98554 fedora/1/updates-testing/i386/mc-4.6.0 -18.2.fc1.0.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCcVB6YzuFKFF44qURArMjAKD00/ncHDwQtrVgu69QC3ypQfDxXwCffZe/ FC8Kn0o4dLv/SvQOJxsFwHU= =F+WQ -----END PGP SIGNATURE-----
*** Bug 153982 has been marked as a duplicate of this bug. ***
CAN-2005-0763 only affects RHL 7.3.
*** Bug 152705 has been marked as a duplicate of this bug. ***
*** Bug 152770 has been marked as a duplicate of this bug. ***
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++PUBLISH RHL 7,3 Kudos to Leonard for working though all these mc issues and providing all the fixes for 7.3. Thanks! a8a885c4d1b456c11ac5ee76befe7b97d5f957d8 mc-4.5.55-11.legacy.i386.rpm Works as expected. - -Jim P. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC0ak+MyG7U7lo69MRAm3aAJ9F3hD0teBqZ0OatkEUmNnJe8RSwACgm1VU TDHrw1PE75cDpzPSATNU/3c= =jDnZ -----END PGP SIGNATURE-----
7.3 packages were pushed to updates-testing.
*** Bug 148865 has been marked as a duplicate of this bug. ***
This bug tracks the fc2 packages also.
Created attachment 117257 [details] Difference between my .i386.rpm and updates-testing The attachment is the diff -u of my .i386.rpm and FL's in updates-testing. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I downloaded the binary FC1 package, SHA1SUM PACKAGE f5959c3196abe94223f9d43b4b78f78c88c98554 fedora/1/updates-testing/i386/mc-4.6.0-18.2.fc1.0.legacy.i386.rpm, from http://download.fedoralegacy.org/, as was posted in the FL Update Test Update Notification FEDORALEGACY-2005-152889, at <http://www.redhat.com/archives/fedora-legacy-list/2005-July/msg00039.html>. I haven't yet loaded it into my machine to test, but doing a comparison of this binary package with the binary package I produced (when I created the .src.rpm) yields some problems. It is my guess that all of the problems are due to missing dependencies when the binary package is created in the build environment. Summary: To build correctly (for at least FC1), mc may need: 1) the groff package (but not a show-stopper), and 2) the gnome-libs package. Details (with many thanks to Charles Anderson for his rpm-build-compare.sh script): 1) /usr/share/mc/mc.ext, lines 151-152 & others. In the rpm in updates-testing, the "Open" line in mc.ext for manpages calls nroff with merely a "-man" argument, rather than the arguments "-c -Tlatin1 -mandoc". I think this is due to files missing when the groff package is not present on the build system. There are also other "roff" "groff" "nroff" extensions in mc.ext that appear to have incor- rect arguments (see attachment). For example, - ------------------------------------------------------------------------------ - --- mc-4.6.0-18.2.fc1.0.legacy.dde.i386.rpm-root/usr/share/mc/mc.ext 2005-07-14 03:59:23.000000000 -0500 +++ mc-4.6.0-18.2.fc1.0.legacy.i386.rpm-root/usr/share/mc/mc.ext 2005-07-14 03:59:24.000000000 -0500 @@ -149,8 +149,8 @@ View=%view{ascii} file %f && nm %f regex/(([^0-9]|^[^\.]*)\.([1-9][a-z]?|n)|\.man)$ - - Open=nroff -c -Tlatin1 -mandoc %f | %var{PAGER:more} - - View=%view{ascii,nroff} nroff -c -Tlatin1 -mandoc %f + Open=nroff -man %f | %var{PAGER:more} + View=%view{ascii,nroff} nroff -man %f # Troff with me macros. # Exception - "read.me" is not a nroff file. - ------------------------------------------------------------------------------ 2) Line 304 of /usr/share/mc/mc.ext (for the .htm and .html file extensions), is buggy and will not properly open a browser window when running X-Windows (or GNOME or KDE). It is missing the "gnome-moz-remote" command, which is supplied in the gnome-libs package. - ------------------------------------------------------------------------------ @@ -300,7 +300,7 @@ # html regex/\.([Hh]tml?|HTML?)$ - - Open=if test -n "gnome-moz-remote" && test -n "$DISPLAY"; then (gnome-moz-remote file://%d/%p &) >/dev/null 2>&1; else links %f 2>/dev/null || lynx -force_html %f; fi + Open=if test -n "" && test -n "$DISPLAY"; then ( file://%d/%p &) >/dev/null 2>&1; else links %f 2>/dev/null || lynx -force_html %f; fi View=%view{ascii} lynx -dump -force_html %f # StarOffice 5.2 - ------------------------------------------------------------------------------ -David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFC6XLsxou1V/j9XZwRAkw6AJ0R052Z34FCn2nRwNQIk69ApURNSgCgw9Uk xQ9Rv30pwXiPnG6jdx07918= =QIzt -----END PGP SIGNATURE-----
Thanks for the report David. Updated packages are being pushed to updates-testing right now.
Created attachment 117261 [details] PGP-signed portion of comment 25 Enclosed attachment duplicates the PGP-signed portion of comment 25, since pasting that into the comment box broke the message & signature. I'll try to be more careful next time. I wish bugzilla had a "preview" button in addition to a "submit" button. -David
+VERIFY for FC1.
Any other verifies, please? (I'll count Gilbert's as one, though unsigned, but won't start a timeout yet..)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +VERIFY for 7.3 Works like a champ. 7dd653902f620c9ab66fc187c92e1e8c70af4b6f mc-4.5.55-12.legacy.i386.rpm - -Jim P. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC8p/3MyG7U7lo69MRAo4ZAKCA0vsFPaS6U4+dnSRy1ZHgpgzacwCfeMFX I1/AQXxrisHl9eVvKpKVWaY= =V2AL -----END PGP SIGNATURE-----
Thanks!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verify for RH9 and FC2 packages: 82c7263b65d3959003c6043131dad7248fa7c40e mc-4.6.0-18.3.fc0.9.legacy.i386.rpm a8270921b5ded8b829c7fda54d7bac77145df129 mc-4.6.1-0.13.FC2.1.legacy.i386.rpm Signature OK Installs OK mc binary runs OK RH9 VERIFY++ FC2 VERIFY++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFC9E1DKe7MLJjUbNMRAvSHAKCcgv5pIVqzgaJ89F5FBvpM9edMwACgpq32 L7UCEf4e8UQIcik0vrhnV3U= =F5/w -----END PGP SIGNATURE-----
Packages were finally released! Hurrah! :)
*** Bug 127973 has been marked as a duplicate of this bug. ***