First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 68404
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
groffer.patch Patch from Debian patch Thierry Carrez (RETIRED) 2004-11-02 05:48 0000 710 bytes Details | Diff
groff-1.18.1.1.ebuild groff-1.18.1.1.ebuild text/plain Akinori Hattori 2004-11-06 02:18 0000 3.10 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 68404 depends on: Show dependency tree
Show dependency graph
Bug 68404 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-10-21 07:55 0000 
CAN-2004-0969

The groffer script in the Groff package 1.18 and later versions, as
used in Trustix Secure Linux 1.5 through 2.1, and possibly other
operating systems, allows local users to overwrite files via a symlink
attack on temporary files.

------- Comment #1 From Thierry Carrez (RETIRED) 2004-10-21 08:04:30 0000 ------- 
Patch on RedHat bug doesn't apply to our groffer either... but it looks
vulnerable nevertheless. Maybe we should wait for RedHat to patch and see if it
applies ?

------- Comment #2 From Thierry Carrez (RETIRED) 2004-10-28 00:52:15 0000 ------- 
The 1.19 patch posted on the RedHat bug (see URL) should apply to 1.19-r1. Then
we could push 1.19 to stable on all arches. It's probably simpler than
backporting the fix for 1.18.

base-system/vapier: please have a look :)

------- Comment #3 From SpanKY 2004-10-28 19:45:08 0000 ------- 
umm, we dont have 1.19-r1

we have 1.19.1-r1 ... and dont lie to me, but that patch doesnt even come CLOSE to applying cleanly to 1.19.1-r1 ;)

i just moved 1.19.1-r1 to stable for unrelated reasons, and many other arches already have it as stable ... current KEYWORDS:
KEYWORDS="alpha amd64 arm hppa ia64 ~mips ~ppc ~ppc64 s390 ~sparc x86"

figure out what you wanna do :)

------- Comment #4 From Thierry Carrez (RETIRED) 2004-10-29 00:45:04 0000 ------- 
heh, blame Mark Cox :)

------- Comment #5 From Matthias Geerdsen 2004-11-02 02:27:44 0000 ------- 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278265
Debian bug report with backported patch

------- Comment #6 From Thierry Carrez (RETIRED) 2004-11-02 05:48:41 0000 ------- 
Created an attachment (id=43158) [edit]
Patch from Debian

Patch from Debian bug.

Applies correctly :
 patching file contrib/groffer/groffer.sh
 Hunk #1 succeeded at 3217 (offset -11 lines).

------- Comment #7 From SpanKY 2004-11-02 16:35:57 0000 ------- 
i assume that's for groff-1.18.1 ...

why should we bother ? groff-1.19.1 looks like this now:
groff-1.19.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ~ppc ~ppc64 s390 sparc x86"

------- Comment #8 From Thierry Carrez (RETIRED) 2004-11-03 00:50:11 0000 ------- 
No, the patch applies to 1.19.1-r1
AFAICT 1.19.1-r1 is still vulnerable, that's why we should care.

------- Comment #9 From SpanKY 2004-11-03 16:02:19 0000 ------- 
touche salesman

groff-1.19.1-r2 now in cvs with aforementioned patch

------- Comment #10 From Thierry Carrez (RETIRED) 2004-11-04 00:30:26 0000 ------- 
Arches please test and mark stable.

Note that the only difference with 1.19.1-r1 (for those arches having that version stable) is the tempfile handling in the groffer utility.

------- Comment #11 From Bryan Østergaard (RETIRED) 2004-11-04 03:27:37 0000 ------- 
Stable on alpha.

------- Comment #12 From Gustavo Zacarias (RETIRED) 2004-11-04 05:37:34 0000 ------- 
sparc stable.

------- Comment #13 From Akinori Hattori 2004-11-04 06:07:53 0000 ------- 
Please apply this fix to 1.18 too. multibyte patch for 1.19 is not yet
released.

------- Comment #14 From Markus Rothe 2004-11-04 09:20:50 0000 ------- 
groff-1.19.1-r2 is now tested and marked stable on ppc64.

Markus

------- Comment #15 From Travis Tilley (RETIRED) 2004-11-04 09:37:08 0000 ------- 
stable on amd64

------- Comment #16 From SpanKY 2004-11-04 19:01:41 0000 ------- 
if someone posts a patch that'll apply cleanly to 1.18.1-r4 i'll add a
1.18.1-r5

------- Comment #17 From SpanKY 2004-11-04 19:08:00 0000 ------- 
moved arm/hppa/ia64/s390/x86 to stable with 1.19.1-r2

------- Comment #18 From Lars Weiler (RETIRED) 2004-11-04 20:25:42 0000 ------- 
ppc stable

------- Comment #19 From Hardave Riar (RETIRED) 2004-11-05 01:35:27 0000 ------- 
Stable on mips.

------- Comment #20 From Thierry Carrez (RETIRED) 2004-11-06 01:14:19 0000 ------- 
ppc64 is stable... ppc64: please remove yourself from Cc when you mark stable.

Security, please vote on GLSA need. Maybe a grouped GLSA with the davfs and openssl ones ?

------- Comment #21 From Akinori Hattori 2004-11-06 02:18:44 0000 ------- 
Created an attachment (id=43389) [edit]
groff-1.18.1.1.ebuild

groff-1.18.1.1.ebuild with updated Debian patch.

------- Comment #22 From Sune Kloppenborg Jeppesen 2004-11-06 04:01:55 0000 ------- 
I vote for a grouped GLSA on this one as well.

------- Comment #23 From Thierry Carrez (RETIRED) 2004-11-06 05:36:51 0000 ------- 
waiting on davfs2 x86 stable

------- Comment #24 From Thierry Carrez (RETIRED) 2004-11-07 10:27:13 0000 ------- 
davfs will take too much time, issuing GLSA with only openssl and groff

------- Comment #25 From Thierry Carrez (RETIRED) 2004-11-08 02:51:03 0000 ------- 
GLSA 200411-15
First Last Prev Next    No search results available      Search page      Enter new bug