Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 136323 - CAN-2004-0966 temporary file vulnerabilities in various gettext scripts.
Summary: CAN-2004-0966 temporary file vulnerabilities in various gettext scripts.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: gettext
Version: fc2
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: LEGACY, rh90, 1, 2
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-10-19 11:00 UTC by Mark J. Cox
Modified: 2007-03-27 04:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-01-10 01:19:30 UTC


Attachments (Terms of Use)
Proposed patch (needs backporting) (deleted)
2004-10-19 11:01 UTC, Mark J. Cox
no flags Details | Diff

Description Mark J. Cox 2004-10-19 11:00:38 UTC
On September 10th 2004, Trustix shared some temporary file
vulnerabilities with vendor-sec.  After some refinement these were
made public on Sep30.  These are minor issues (impact: LOW) and
therefore should be fixed in future updates, but don't deserve their
own security advisory.

Temporary file vulnerability in autopoint, gettextize scripts.  Patch
attached.  These issues don't affect the scripts shipped with gettext
in RHEL2.1, RHEL3.

Comment 1 Mark J. Cox 2004-10-19 11:01:37 UTC
Created attachment 105442 [details]
Proposed patch (needs backporting)

Comment 8 Matthew Miller 2005-04-11 22:20:46 UTC
[Bulk move of FC2 bugs to Fedora Legacy. See
<http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]

Comment 9 Marc Deslauriers 2005-04-20 23:30:58 UTC
See also bug 152810 

Comment 10 Jeff Sheltren 2005-10-20 12:03:24 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Created package for FC2 using above patch.

http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.14.1-2.1.1.legacy.src.rpm

88714980739f378a18a93d68fcf62b41bdc34660  gettext-0.14.1-2.1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDV4fxKe7MLJjUbNMRAqndAJ4iEIp3awHSHUeP2ny2RurV3A2LqACeIPqJ
2ZPfFt0753pLyKR06sXQaTw=
=MEP4
-----END PGP SIGNATURE-----

Comment 11 Pekka Savola 2005-10-21 08:54:52 UTC
Does this affect FC1?  If it doesn't affect RHEL3/2.1, I guess it doesn't affect
RHL73/9.

Comment 12 Jeff Sheltren 2005-10-21 11:18:53 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looking at the other bug, I had assumed that FC1 was not vulnerable,
but now that I look at it, it does have some (not all) of the patched
code.  I've patched the similar parts of code as were patched for
FC2, and there is a FC1 package here:

http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.12.1-1.1.legacy.src.rpm

8de2ebe8e6299c5b3b17d2c2a6f85686f5c07e23  gettext-0.12.1-1.1.legacy.src.rpm

I'll double check on the rh7 & rh9 packages later just to be sure
that they don't need to be patched.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDWM7cKe7MLJjUbNMRAsCuAJ93b3u6DPWUOXNSII6raGSttgOwdACeO3EK
ta9xpnl0TJPnrph6eKNTWoc=
=lpfB
-----END PGP SIGNATURE-----

Comment 13 Jeff Sheltren 2005-10-21 16:31:14 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Redhat 7.3 doesn't have any of the vulnerable code.  RH9 does have some
of it, so I've patched what's there that appears to be vulnerable.

Here's the RH9 package:
http://www.cs.ucsb.edu/~jeff/legacy/gettext-0.11.4-7.1.legacy.src.rpm

52c7f683312d53c41cc046b8109dd073b122d3d5  gettext-0.11.4-7.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDWRg0Ke7MLJjUbNMRAvHTAKCQnL1FpwgEouo5OmvPkCOikRWNpgCcDxWK
pw8EpQMVCGtpAVhZXQC8kTQ=
=a7Iy
-----END PGP SIGNATURE----- 

Comment 14 Pekka Savola 2005-10-22 04:37:22 UTC
Thanks for the investigation.  Unless someone jumps in, I'll do QA for these
shortly..

Comment 15 Pekka Savola 2005-10-24 05:54:03 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - 0.14 patch verified to be the same as RHEL proposal and in Gentoo;
   0.12 removes a subset, 0.11 almost all.  Should be OK.
 
I noted one typo in 0.11 patch:
 
+if [ $? -ne 0 ]; then
+  echo "ERROR making $workd_dir"
+  exit 1
+fi
 
s/workd_dir/work_dir/
 
This can be fixed at build time, I think.
 
+PUBLISH RHL9, FC1, FC2
 
52c7f683312d53c41cc046b8109dd073b122d3d5  gettext-0.11.4-7.1.legacy.src.rpm
8de2ebe8e6299c5b3b17d2c2a6f85686f5c07e23  gettext-0.12.1-1.1.legacy.src.rpm
88714980739f378a18a93d68fcf62b41bdc34660  gettext-0.14.1-2.1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDXHdmGHbTkzxSL7QRAuFQAKDWp3W3R2K1lUK9rWgimFhoJciuEACfXvLd
/mw+pVBt89Hz1nSPI+fV1wI=
=C2Uo
-----END PGP SIGNATURE-----


Comment 16 Jeff Sheltren 2005-10-24 10:17:59 UTC
Thanks, Pekka.  Marc, if you want me to resubmit the 0.11 package (without the
typo), let me know.

Comment 17 Marc Deslauriers 2005-11-19 16:01:25 UTC
Packages were pushed to updates-testing

Comment 18 Pekka Savola 2005-11-28 18:25:31 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL9: signature OK, upgrades OK, rebuilding a couple of src.rpm's
using gettext works fine.

+VERIFY RH9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDi0wiGHbTkzxSL7QRAohhAJ9Wp9uRwEVNLFr8IJ7//HndPs/DkACgmG0j
/729E1CaT5KvL+EYinWrKjw=
=5Rni
-----END PGP SIGNATURE-----


Comment 19 Pekka Savola 2005-12-28 18:52:13 UTC
Timeout over.

Comment 20 Marc Deslauriers 2006-01-10 01:19:30 UTC
Packages were released to updates


Note You need to log in before you can comment on or make changes to this bug.