First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 237
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Daniel Robbins (RETIRED) <drobbins@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Ferry Meyndert <m0rpheus@poseidon.mine.nu>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 237 depends on: Show dependency tree
Show dependency graph
Bug 237 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2002-01-19 13:19 0000 
zen-parse found a bug in the current implementation of at which leads
into a heap corruption vulnerability which in turn could potentially
lead into an exploit of the daemon user.

I have tried too make a fix for this. But it seemed harder then i tought.
At doesnt have central download point or homepage so i wassnt able to find a new
version, i searched everywhere. There only came an update from debian.

Also the download location in the old at ebuilds are dead and they are patched
for using sendmail. ANd senmail isnt even in portage anymore.

So i think the best thing to do is drop this program and at it too package.mask.

------- Comment #1 From Daniel Robbins (RETIRED) 2002-01-19 14:08:56 0000 ------- 
Ok, will mask but I'll still leave this bug open

------- Comment #2 From Ferry Meyndert 2002-01-19 17:55:05 0000 ------- 
finally i found the source for the new at package by manually browsing some
debian servers :(( I found out that it was made by a debian devver.


still cant atch files :((

at-3.1.8-r11.ebuild
-----------------------------------

# Copyright 1999-2002 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or later
# Ferry Meyndert <m0rpheus@poseidon.mine.nu>


P=at_3.1.8-11
S=${WORKDIR}/at-3.1.8
DESCRIPTION="Queues jobs for later execution"
SRC_URI="http://ftp.debian.org/debian/pool/main/a/at/${P}.tar.gz"
HOMEPAGE="none"

DEPEND="virtual/glibc >=sys-devel/flex-2.5.4a"

RDEPEND="virtual/glibc"

src_unpack() {

	unpack ${P}.tar.gz
	cd ${S}
}

src_compile() {

	./configure --host=${CHOST/-pc/} --sysconfdir=/etc/at \
		--with-jobdir=/var/cron/atjobs \
		--with-atspool=/var/cron/atspool \
		--with-etcdir=/etc/at \
		--with-daemon_username=at \
		--with-daemon_groupname=at || die
	emake || die
}

src_install() {

	into /usr
	chmod 755 batch
	chmod 755 atrun
	dobin at batch
	fperms 4755 /usr/bin/at
	dosym at /usr/bin/atrm
	dosym at /usr/bin/atq
	dosbin atd atrun

	for i in atjobs atspool
	do
		dodir /var/cron/${i}
		fperms 700 /var/cron/${i}
		fowners at.at /var/cron/${i}
		touch ${D}/var/cron/${i}/.SEQ
	done

	exeinto /etc/init.d
	newexe ${FILESDIR}/atd.rc6 atd
	insinto /etc/at
	insopts -m 0644
	doins ${FILESDIR}/at.deny
	doman at.1 at_allow.5 atd.8 atrun.8
	dodoc COPYING ChangeLog Copyright Problems README
}

------- Comment #3 From Daniel Robbins (RETIRED) 2002-01-19 18:06:56 0000 ------- 
Added this as at-3.1.8-r7 and masked all the others.
First Last Prev Next    No search results available      Search page      Enter new bug