+++ This bug was initially created as a clone of Bug #154051 +++ +++ This bug was initially created as a clone of Bug #154049 +++ The way sharutils handles temporary files is insecure (as reported by the Debian BTS): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=302412 The Debian bug contains a patch for this issue. -------------------------------------------------------------------------- Looks like this update missed the FC2 cutoff -- cloning into Fedora Legacy. Red Hat folks: is the sharutils-4.2.1-18.2.FC2 package available anywhere? Thanks!
We must make sure CAN-2004-1772 and CAN-2004-1773 are fixed as well.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated sharutils packages to QA: CAN-2004-1772 and CAN-2004-1773 were already fixed by the previous releases. * Sun Apr 17 2005 Marc Deslauriers <marcdeslauriers> 4.2.1-18.2.FC2.legacy - - Added security fix for CAN-2005-0990 db20b5b266606ea3be47b8949e3c9d0521eed447 7.3/sharutils-4.2.1-12.7.x.1.legacy.i386.rpm 912ccce0d30fd6d204dcf4b31a9669327b45db70 7.3/sharutils-4.2.1-12.7.x.1.legacy.src.rpm be09a817e162bf805020e6d4fa472d97e947fda4 9/sharutils-4.2.1-16.9.2.legacy.i386.rpm 26714a4f61079b052abc06bb133fd139bd30e4df 9/sharutils-4.2.1-16.9.2.legacy.src.rpm 7d4e573758b23331ce897e443d184a00e2bedfad 1/sharutils-4.2.1-17.3.legacy.i386.rpm df61b5902ef81dda6d88070f9b7a6d70c084ee37 1/sharutils-4.2.1-17.3.legacy.src.rpm c8230aa4bb70a49e570ba555be14f6b6c30df8d6 2/sharutils-4.2.1-18.2.FC2.legacy.i386.rpm 3b9afd8a6af04756abf245c76608d8aa376ff707 2/sharutils-4.2.1-18.2.FC2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/sharutils-4.2.1-12.7.x.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/sharutils-4.2.1-12.7.x.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/sharutils-4.2.1-16.9.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/sharutils-4.2.1-16.9.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/sharutils-4.2.1-17.3.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/sharutils-4.2.1-17.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/sharutils-4.2.1-18.2.FC2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/2/sharutils-4.2.1-18.2.FC2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCYrJsLMAs/0C4zNoRAnXHAJ9IYlmZimvtdRC1gM1VhmBL2O2tBwCfa71S 7DIbk4ouW2TJqNOKkADaj6M= =w2gp -----END PGP SIGNATURE-----
You will find the sharutils-4.2.1-18.2.FC2 srpm on tp://people.redhat.com/than/fc2
This bug must go through the FL QA process...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - patch verified to come from debian - spec file changes minimal +PUBLISH RHL73,RHL9,FC1,FC2 912ccce0d30fd6d204dcf4b31a9669327b45db70 sharutils-4.2.1-12.7.x.1.legacy.src.rpm 26714a4f61079b052abc06bb133fd139bd30e4df sharutils-4.2.1-16.9.2.legacy.src.rpm df61b5902ef81dda6d88070f9b7a6d70c084ee37 sharutils-4.2.1-17.3.legacy.src.rpm 3b9afd8a6af04756abf245c76608d8aa376ff707 sharutils-4.2.1-18.2.FC2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCZqMsGHbTkzxSL7QRApFtAJ47pdG4qvkb9FXKAFE+ledZ6ub+sgCfcbwh WxVMHuAnK4u+bSxzX96WvWk= =x+RO -----END PGP SIGNATURE-----
The same patch is also used in FC3 sources (which caught up recently with other security patch present in Legacy sources from October last year). This should be a "no brainer" publish.
Packages were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 00132d8850d0db03c6adae00ecece7c99de20223 sharutils-4.2.1-16.9.2.legacy.i386.rpm installs OK. if i read the debian report aright, the bug specifically affects the unshar command, so: [madhatta@www foo]$ sha1sum fred 6d89a576fc098afae3dd5a40531c2f34ffeabcf0 fred [madhatta@www foo]$ shar fred > fred.shar shar: Saving fred (text) [madhatta@www foo]$ rm fred [madhatta@www foo]$ unshar fred.shar /home/madhatta/tmp/foo/fred.shar: x - creating lock directory x - extracting fred (text) [madhatta@www foo]$ sha1sum fred 6d89a576fc098afae3dd5a40531c2f34ffeabcf0 fred [madhatta@www foo]$ looks like unshar works, at least on a trivial case. i don't really use it much, so can't give it thorough workout (sorry). +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCdkAWePtvKV31zw4RAmC/AKCOColeJs1b4sK6PP8JpR0GUyg8nACbBbzd 6RdlTomn3HzjiPjC/3cEL0s= =Y0wn -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on RHL73: I created a shar file and unsharred it fine. I didn't manage to see anything interesting when I straced 'unshar archive.shar' but when I straced 'sh ./archive.shar', I did notice a temp file was being created with a reasonable randomness, so this should be OK. [pid 4889] open("/tmp/sh-thd-2963738994", O_WRONLY|O_CREAT|O_TRUNC|O_EXCL|O_LARGEFILE, 0600) = 3 [pid 4889] open("/tmp/sh-thd-2963738994", O_RDONLY|O_LARGEFILE) = 4 +VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCd1SDGHbTkzxSL7QRAr/ZAKCl2pm0O5nPC/qCaXuiv72HJEtIgwCggoMq zDMbAaOFGMZ6zjlrsBBwVMg= =prix -----END PGP SIGNATURE-----
RH73 package in updates (sharutils-4.2.1-12.7.x.legacy.i386.rpm) wins version comparision with new package in updates-testing (sharutils-4.2.1-12.7.x.1.legacy.i386.rpm). $ rpmver -v 4.2.1-12.7.x.1.legacy 4.2.1-12.7.x.legacy RPM version 4.2.1-12.7.x.1.legacy is lesser than version 4.2.1-12.7.x.legacy. Version bump is needed.
Version bump was done on rh73 packages in updates-testing.
Two verifys, timeout in 2 weeks.
Timeout over, to be released.
Packages were released to updates.