19283 – compat-egcs-5.2 cannot co-exist with compat-egcs-6.2

Bug 19283 - compat-egcs-5.2 cannot co-exist with compat-egcs-6.2

Summary: compat-egcs-5.2 cannot co-exist with compat-egcs-6.2

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	compat-egcs
Sub Component:
Version:	7.0
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-10-17 20:13 UTC by Ronald Cole
Modified:	2008-05-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2000-10-17 22:26:00 UTC
Embargoed:

Attachments	(Terms of Use)

Description Ronald Cole 2000-10-17 20:13:15 UTC

I'm using Informix IDS 7.30UC7 and 4GL.  The 4GL packages require
compat-{binutils,egcs,glibc,libs}-5.2.  I had to get these packages from my
RedHat 6.2 disk but rpm seems to want to nuke compat-*-6.2 in order to load
them.  To me, it looks like the two compat package contents won't actually
step on each other, it's just that they are unfortunately named (so that
there can only be ONE compat series installed at a time).

Or is there a work around?

Comment 1 Ronald Cole 2000-10-17 22:25:57 UTC

Just to clarify: compat-egcs-6.2 is *not* an update to compat-egcs-5.2.  They
are
separate and distinct compatibility packages: thus "rpm -i" and "rpm -U" do the
"wrong thing".
The packages should properly be called compat-egcs52 and compat-egcs62 so that
they
can co-exist and rpm will do the "right thing" with them and their ilk.

Also, it would be wise to apply the recent security fixes to compat-glibc-5.2.

Comment 2 Jakub Jelinek 2000-10-20 12:42:44 UTC

You can rpm2cpio compat-*-5.2 | cpio -id into the system. We'll consider
putting the version into the compat names for future distributions.
As for security fixes to compat-glibc-5.2, all of the security issues were
related to setuid/setgid programs. But running dynamicaly linked
setuid/setgid program using /usr/*-glibc20-linux/lib/ld-linux.so.2
does not honour those setuid/setgid bits (because you get rights of ld-linux.so.2,
not the actual program you're running) and thus in order to exploit the bug
you'd either have to explicitely put the /usr/*-glibc20-linux/lib/ld-linux.so.2
interpreter into the binary (but why would anyone do that) or link
statically (again, I see no reason compiling setuid/setgid statically linked
programs against compatibility libraries).

Comment 3 Ronald Cole 2000-10-20 19:29:59 UTC

I was referring to the glibc locale and internationalization security checks
errata.  In the words of the errata, "It is highly probable that some of these
bugs can be used for local root exploits."

If you do change your mind and issue an errata for the compat-*-5.2 packages
(hopefully changing the names to compat-*52), then please consider adding the
fix for bug #19289.

Comment 4 Jakub Jelinek 2000-10-20 19:34:31 UTC

All the bugs fixed by that security errata were only relevant to
setuid/setgid programs, see above why I don't think this matters in
the compat library.

Note You need to log in before you can comment on or make changes to this bug.