CAN-2004-1079: Buffer overflow in (1) ncplogin and (2) ncpmap in nwclient.c for ncpfs 2.2.4, and possibly other versions, may allow local users to gain privileges via a long -T option. CAN-2005-0013: nwclient.c in ncpfs before 2.2.6 does not drop root privileges before executing utilities using the NetWare client functions, which allows local users to gain privileges. CAN-2005-0014: Buffer overflow in ncplogin in ncpfs before 2.2.6 allows remote malicious NetWare servers to execute arbitrary code on the NetWare client. see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0013 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0014 https://bugzilla.redhat.com/beta/show_bug.cgi?id=144691 ------- Bug moved to this database by dkl 2005-03-30 18:31 ------- This bug previously known as bug 2428 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2428 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA. The previous FC3 patch was incomplete, so it's now fixed. 06848f0f5179afa589cd0d30cec96cc3a1a096b0 7.3/ncpfs-2.2.0.18-6.1.legacy.i386.rpm 5d4b69e5c2f5580e07542aec20371026a303f7b2 7.3/ncpfs-2.2.0.18-6.1.legacy.src.rpm b4402f56767b785e1d5c0f43839cff11dbf15b67 7.3/ipxutils-2.2.0.18-6.1.legacy.i386.rpm 2ca7eb95c4a69823d3b80cf4d52ebc28d925d175 9/ncpfs-2.2.1-1.1.legacy.i386.rpm a1f7228bbceacc789084d31ac559460216bf4862 9/ncpfs-2.2.1-1.1.legacy.src.rpm dcc36dce8d718ed5890ebac95f73a3647d8fcec3 9/ipxutils-2.2.1-1.1.legacy.i386.rpm ade651d031e2b3d758d2c5ba7bd46cd8041994c6 1/ncpfs-2.2.3-1.1.legacy.i386.rpm 0bbca8e8da3e8e5b4b5569f9583ac8ef7b6a2ca1 1/ncpfs-2.2.3-1.1.legacy.src.rpm 7d2742da8304cdbeba82867e6b82c3fc71c3e8ae 1/ipxutils-2.2.3-1.1.legacy.i386.rpm 32bcb6f135d23e5854854c337343cce67087107c 2/ncpfs-2.2.4-1.1.legacy.i386.rpm d3b849d3a625973b99e58a34d3c4e522f6375f7b 2/ncpfs-2.2.4-1.1.legacy.src.rpm 450df935d8f97cf97303d7ef47684c40d664ee62 2/ipxutils-2.2.4-1.1.legacy.i386.rpm 48f2cb4ea55a6a38ac0b907928e5754af8aebf28 3/ncpfs-2.2.4-5.FC3.1.legacy.i386.rpm ae3a7d8a83966f2d6771d76e2a30913a70bb7f86 3/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm 93056f0da00226ae586907bfa6868d562629e8a1 3/ipxutils-2.2.4-5.FC3.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/ncpfs-2.2.0.18-6.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/ncpfs-2.2.1-1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/ncpfs-2.2.3-1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/ncpfs-2.2.4-1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEFCtFLMAs/0C4zNoRAnSFAKCf35RNBJKYuvrw2tw+/OM+4TqmNwCgqgqH Y0IwqR9VyVxbMqpsfJWAePE= =mPoc -----END PGP SIGNATURE-----
Apparently, FC4 folks didn't remember to update their ncpfs for getuid2.patch, but that's not our concern (yet)... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches identical to RHEL2 or Fedora's original FC3 package +PUBLISH RHL73, RHL9, FC1, FC2, FC3 5d4b69e5c2f5580e07542aec20371026a303f7b2 ncpfs-2.2.0.18-6.1.legacy.src.rpm a1f7228bbceacc789084d31ac559460216bf4862 ncpfs-2.2.1-1.1.legacy.src.rpm 0bbca8e8da3e8e5b4b5569f9583ac8ef7b6a2ca1 ncpfs-2.2.3-1.1.legacy.src.rpm d3b849d3a625973b99e58a34d3c4e522f6375f7b ncpfs-2.2.4-1.1.legacy.src.rpm ae3a7d8a83966f2d6771d76e2a30913a70bb7f86 ncpfs-2.2.4-5.FC3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEFRK+GHbTkzxSL7QRAimcAJ43puKwoSsTrnvv1r7fpdkiShFNwQCdGIj5 IdHePezZ4Xiq7CvGwFS3yqo= =k9sD -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
Timeout over.
Packages were released to updates.