First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 79585
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
kstars-minimal.diff kstars-minimal.diff patch Sune Kloppenborg Jeppesen 2005-01-28 06:53 0000 1.30 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 79585 depends on: Show dependency tree
Bug 79585 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-01-26 08:30 0000 
Erik Sj

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-01-26 08:30:38 0000 ------- 
Erik Sjölund discovered that a buffer overflow in fliccd which is
installed setuid root (at least on Debian/unstable) can be exploited
quite easily and will probably allow arbitrary code to be executed.

KDE has been notified.

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-01-26 22:07:15 0000 ------- 
It is also setuid root on Gentoo.

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-01-26 22:08:49 0000 ------- 
KDE, is it possible to fix the permissions in 2005.0 (and mention nothing else
in the Changelog)?

------- Comment #4 From Sune Kloppenborg Jeppesen 2005-01-28 06:53:12 0000 ------- 
Created an attachment (id=49736) [edit]
kstars-minimal.diff

Here's a minimal patch to fix this vulnerability.  Dirk will send
the entire upstream patch later.

------- Comment #5 From Sune Kloppenborg Jeppesen 2005-01-28 06:54:08 0000 ------- 
Carlo, caleb please advise on comment #2.

------- Comment #6 From Caleb Tennis 2005-01-28 07:03:28 0000 ------- 
I can't test the patch until later this evening - it will need to be cleaned up
to work in Gentoo, but shouldn't be a problem.  If nobody gets to it first I'll
go ahead and bump it - should be okay to just leave stable on all arches.

------- Comment #7 From Sune Kloppenborg Jeppesen 2005-02-13 04:56:51 0000 ------- 
Waiting for new coordinated release date. KDE please be ready to patch.

------- Comment #8 From Sune Kloppenborg Jeppesen 2005-02-13 06:03:14 0000 ------- 
New release date is February 15th

------- Comment #9 From Carsten Lohrke 2005-02-14 11:55:50 0000 ------- 
Hm, "nobody" is about to commit. What about the changelog - do I violate any
stupid vendor sec agreements, if I write "buffer overflows in fliccd of
kstars"?

------- Comment #10 From Thierry Carrez (RETIRED) 2005-02-14 12:01:18 0000 ------- 
carlo: since we are very close to disclosure date, I'd say you can commit with
any comment you want.

------- Comment #11 From Carsten Lohrke 2005-02-14 12:12:51 0000 ------- 
Koon: Are you sure about "any comment"? ;) I'd like to know, how do we deal
with this in general. Just "security bug, #1010101"?


<<< kdeedu-3.3.2-r1.ebuild

arch herds: would you please!?

------- Comment #12 From Thierry Carrez (RETIRED) 2005-02-14 13:58:11 0000 ------- 
Carlo: Confidential bugs shouldn't be disclosed at all. No CVS commit, no
Changelog or whatever. Semi-public bugs can be committed to CVS, but with
cryptic comments like "bug #101010". When we are at disclosure date, its OK to
commit and comment.

This bug should be open ASAP so that arch people can comment on it :)

------- Comment #13 From Sune Kloppenborg Jeppesen 2005-02-14 14:06:49 0000 ------- 
Thx Carlo.

Opening bug. Arches please test and mark stable.

------- Comment #14 From Carsten Lohrke 2005-02-14 14:24:08 0000 ------- 
Koon: O.k., even though I dislike this closed list approach at all, it makes
sense in context. I bet I'm not the only one who is/wasn't sure about it. Maybe
a good question for the become-a-developer quiz.

------- Comment #15 From Ciaran McCreesh 2005-02-14 14:33:05 0000 ------- 
Carlo -- see the repeated flamewars on the gentoo-user list that come up every
now and again when people get a ChangeLog entry telling them to access a
restricted bug. Not pretty, but they tend to cover all the issues.

------- Comment #16 From Sune Kloppenborg Jeppesen 2005-02-14 22:04:07 0000 ------- 
Upgrading severity. Remote root is apparently possible in certain
configurations.

------- Comment #17 From Gustavo Zacarias (RETIRED) 2005-02-15 17:34:54 0000 ------- 
sparc stable.

------- Comment #18 From Markus Rothe 2005-02-15 21:26:19 0000 ------- 
stable on ppc64

------- Comment #19 From Bryan Østergaard (RETIRED) 2005-02-16 03:06:53 0000 ------- 
Stable on alpha.

------- Comment #20 From Michael Hanselmann (hansmi) (RETIRED) 2005-02-16 10:50:15 0000 ------- 
Marked stable on ppc by lu_zero.

------- Comment #21 From Jan Brinkmann (RETIRED) 2005-02-16 12:13:37 0000 ------- 
stable on amd64

------- Comment #22 From Sune Kloppenborg Jeppesen 2005-02-16 12:50:25 0000 ------- 
Thx everyone.

GLSA 200502-23

ia64 and hppa please remember to mark stable.

------- Comment #23 From René Nussbaumer 2005-06-26 05:48:39 0000 ------- 
Already stable on hppa
First Last Prev Next    No search results available      Search page      Enter new bug