135970 2006-06-07 12:22 0000 kde-base/arts Unchecked set*uid() calls (CVE-2006-2916) 2006-10-15 05:45:57 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.kde.org/info/security/advisory-20060614-2.txt A2 [glsa] jaervosz P2 major --- 1 jaervosz@gentoo.org security@gentoo.org kde@gentoo.org tcort@gentoo.org jaervosz@gentoo.org 2006-06-07 12:22:34 0000 Dirk Mueller from KDE reports: The vixie cron vulnerability also exists in several places. jaervosz@gentoo.org 2006-06-07 12:23:50 0000 Created an attachment (id=88621) arts-3.5.3.diff jaervosz@gentoo.org 2006-06-07 12:27:58 0000 Carlo please attach an updated ebuild. Do not commit anything to Portage yet. carlo@gentoo.org 2006-06-09 08:10:19 0000 Nice one... Public disclosure is 2006-06-15 together with a kdm symlink attack vulnerability fix. Is there another hidden bug about it or should I open one? Will prepare the fixes late this evening or tomorrow. jaervosz@gentoo.org 2006-06-09 08:27:30 0000 Changing whiteboard to SEMI-PUBLIC as the general issue is already public. Carlo up to you wether we should test the ebuild on this bug or commit direct to Portage (with only the bug number mentioned in the ChangeLog). carlo@gentoo.org 2006-06-11 06:35:41 0000 arts-3.4.3-r1.ebuild arts-3.5.2-r1.ebuild I'm not sure who is responsible for KDE security bumps, but these are the ebuilds, which need to go stable. Sune: Sorry that I'm later than predicted. Changed kde eclasses and fought with repoman acting very weird. dercorny@gentoo.org 2006-06-11 06:43:19 0000 arches, please test if this is stable and report back. Altough this is set as semi-public, better dont commit anything yet. Thanks gustavoz@gentoo.org 2006-06-12 06:51:18 0000 Passing on to weeve, he's our kde mofo and i'm not feeling quite well yet. carlo@gentoo.org 2006-06-12 08:21:57 0000 (In reply to comment #6) > arches, please test if this is stable and report back. Altough this is set as > semi-public, better dont commit anything yet. Thanks Hu? I committed patch and ebuilds so everyone can read it. The patch is in KDE svn, so everyone can read it. It would be careless not to mark the ebuilds stable asap. jaervosz@gentoo.org 2006-06-12 08:25:31 0000 Please test and MARK stable, this ain't no security drill so please just mark stable in the tree. corsair@gentoo.org 2006-06-12 11:09:54 0000 stable on ppc64 @security: remove security liasons and add archs to CC? jaervosz@gentoo.org 2006-06-12 11:35:17 0000 It's still semi public, so we cannot add arches until it is completely opened. weeve@gentoo.org 2006-06-13 19:32:40 0000 SPARC is good here (or as good as arts ever gets). dertobi123@gentoo.org 2006-06-14 02:13:24 0000 ppc stable carlo@gentoo.org 2006-06-14 06:53:10 0000 (In reply to comment #13) > ppc stable > You missed arts-3.4.3-r1 weeve@gentoo.org 2006-06-14 08:43:36 0000 Based on comment #6, I have not touched the SPARC keywords from what they were when the ebuilds entered the tree. Do you folks want to work this like the kdm bug or would you like the arch maestros to keyword the ebuilds? jaervosz@gentoo.org 2006-06-14 09:04:23 0000 Jason please commit, we work directly in the tree on this one (see comment #9). weeve@gentoo.org 2006-06-14 09:17:37 0000 Ah missed that one. Thanks for the pointer :) SPARC is now stable. dertobi123@gentoo.org 2006-06-14 11:16:15 0000 (In reply to comment #14) > (In reply to comment #13) > > ppc stable > > > > You missed arts-3.4.3-r1 Oops ;) arts-3.4.3-r1 also ppc stable :) carlo@gentoo.org 2006-06-14 11:44:51 0000 Announcement is out, so the bug can be opened and arches cc'ed. jaervosz@gentoo.org 2006-06-14 12:30:55 0000 Arches please test and mark stable. tcort@gentoo.org 2006-06-15 09:17:29 0000 arts-3.4.3-r1 and arts-3.5.2-r1 stable on alpha and amd64. killerfox@gentoo.org 2006-06-17 03:50:23 0000 stable on hppa carlo@gentoo.org 2006-06-17 05:02:56 0000 Didn't want to wait forever on second pair of eyes. Stable on x86. jaervosz@gentoo.org 2006-06-17 06:18:14 0000 Thx Carsten. Ready for GLSA. Security please review draft. jaervosz@gentoo.org 2006-06-22 13:04:31 0000 GLSA 200606-22 ia64 don't forget to mark stable to benifit from the GLSA. 88621 2006-06-07 12:23 0000 arts-3.5.3.diff arts-3.5.3.diff text/plain SW5kZXg6IHNvdW5kc2VydmVyL2FydHN3cmFwcGVyLmMKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc291bmRzZXJ2 ZXIvYXJ0c3dyYXBwZXIuYwkocmV2aXNpb24gNTQ2OTcwKQorKysgc291bmRzZXJ2ZXIvYXJ0c3dy YXBwZXIuYwkod29ya2luZyBjb3B5KQpAQCAtOTUsNiArOTUsMTAgQEAgaW50IG1haW4oaW50IGFy Z2MsIGNoYXIgKiphcmd2KQogI2Vsc2UKIAkJc2V0cmV1aWQoLTEsIGdldHVpZCgpKTsKICNlbmRp ZgorCQlpZiAoZ2V0ZXVpZCgpICE9IGdldHVpZCgpKSB7CisJCQlwZXJyb3IoInNldHVpZCgpIik7 CisJCQlyZXR1cm4gMjsKKwkJfQogCX0KIAogCWlmKGFyZ2MgPT0gMCkKSW5kZXg6IHNvdW5kc2Vy dmVyL2NyYXNoaGFuZGxlci5jYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzb3VuZHNlcnZlci9jcmFzaGhhbmRs ZXIuY2MJKHJldmlzaW9uIDU0Njk3MCkKKysrIHNvdW5kc2VydmVyL2NyYXNoaGFuZGxlci5jYwko d29ya2luZyBjb3B5KQpAQCAtMTk2LDcgKzE5NiwxMiBAQCBDcmFzaEhhbmRsZXI6OmRlZmF1bHRD cmFzaEhhbmRsZXIgKGludCBzCiAgICAgICAgICAgYXJndltpKytdID0gTlVMTDsKIAogICAgICAg ICAgIHNldGdpZChnZXRnaWQoKSk7Ci0gICAgICAgICAgc2V0dWlkKGdldHVpZCgpKTsKKyAgICAg ICAgICBpZiAoZ2V0dWlkKCkgIT0gZ2V0ZXVpZCgpKQorICAgICAgICAgICAgc2V0dWlkKGdldHVp ZCgpKTsKKyAgICAgICAgICBpZiAoZ2V0dWlkKCkgIT0gZ2V0ZXVpZCgpKSB7CisJICAgIHBlcnJv cigic2V0dWlkKCkiKTsKKyAgICAgICAgICAgIGV4aXQoMjU1KTsKKyAgICAgICAgICB9CiAKICAg ICAgICAgICBleGVjdnAoY3Jhc2hBcHAsIGFyZ3YpOwogCg==