217229 CVE-2008-1687 2008-04-10 22:52 0000 sys-devel/m4 <1.4.11 mkstemp quoting and "-F" format string issue (CVE-2008-{1687,1688}) 2008-04-21 08:03:02 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A4 [noglsa] P2 minor --- 1 rbu@gentoo.org security@gentoo.org jer@gentoo.org rbu@gentoo.org 2008-04-10 22:52:36 0000 CVE-2008-1687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1687): The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename. CVE-2008-1688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1688): Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries. rbu@gentoo.org 2008-04-10 23:02:36 0000 CVE-2008-1687 http://git.sv.gnu.org/gitweb/?p=m4.git;a=commit;h=5345bb49077bfda9fabd048e563f9e7077fe335d CVE-2008-1688 http://git.sv.gnu.org/gitweb/?p=m4.git;a=commit;h=035998112737e52cb229e342913ef404e5a51040 There have been concerns whether these would qualify for security vulnerabilities: * For CVE-2008-1687, it requires that mkstemp will create a filename that matches a macro. An attacker could not influence that name, so it would lead to unspecified behaviour, which might lead to a vulnerability. * For CVE-2008-1688, see the note on the CVE description. We might want to go stable with 1.4.11 anyway, but I would consider this a low priority. base-system, what do you think? Also, is 1.4.11 good to go? vapier@gentoo.org 2008-04-11 01:16:25 0000 stabilizing m4-1.4.11 should be fine rbu@gentoo.org 2008-04-11 01:21:57 0000 Arches, please test and mark stable: =sys-devel/m4-1.4.11 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86" armin76@gentoo.org 2008-04-11 09:50:46 0000 alpha/ia64/sparc/x86 stable coldwind@gentoo.org 2008-04-11 10:02:13 0000 amd64 stable corsair@gentoo.org 2008-04-11 15:25:15 0000 ppc64 stable jer@gentoo.org 2008-04-12 15:13:58 0000 test-strtod.c:667: assertion failed test-strtod.c:668: assertion failed test-strtod.c:688: assertion failed test-strtod.c:717: assertion failed test-strtod.c:718: assertion failed FAIL: test-strtod Lines 667 and 668: # if 0 /* Sign bits of NaN is a portability sticking point, not worth worrying about. */ ASSERT (!!signbit (result1) != !!signbit (result2)); /* glibc-2.3.6, IRIX 6. 5, OSF/1 5.1, mingw */ # endif ASSERT (ptr1 == input + 6); /* glibc-2.3.6, MacOS X 10.3, FreeBSD 6. 2, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */ ASSERT (ptr2 == input + 6); /* glibc-2.3.6, MacOS X 10.3, FreeBSD 6. 2, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */ Line 688: ASSERT (ptr == input + 6); /* glibc-2.3.6, MacOS X 10.3, FreeBSD 6.2, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */ Lines 717 and 718: # if 0 /* Sign bits of NaN is a portability sticking point, not worth worrying about. */ ASSERT (!!signbit (result1) != !!signbit (result2)); /* glibc-2.3.6, IRIX 6.5, OSF/1 5.1, mingw */ # endif ASSERT (ptr1 == input + 7); /* glibc-2.3.6, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */ ASSERT (ptr2 == input + 7); /* glibc-2.3.6, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */ It says not to worry, but then you find yourself doing it anyway. Any comments from base-system? Sat Apr 12 17:09:05 CEST 2008 Portage 2.1.5_rc2 (default-linux/hppa/2007.0, gcc-4.1.2, glibc-2.7-r2, 2.6.24-gentoo-r3-JeR parisc) ================================================================= System uname: 2.6.24-gentoo-r3-JeR parisc PA8700 (PCX-W2) Timestamp of tree: Sat, 12 Apr 2008 04:22:01 +0000 distcc 2.18.3 hppa2.0-unknown-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [disabled] app-shells/bash: 3.2_p17-r1 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 2.0.0 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="hppa" CBUILD="hppa2.0-unknown-linux-gnu" CFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -g -ggdb -Wall" CHOST="hppa2.0-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind /var/spool/torque /var/www/localhost/htdocs/wordpress/wp-config.php" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -g -ggdb -Wall" DISTDIR="/keeps/gentoo/distfiles" FEATURES="autoaddcvs buildpkg cvs distlocks fixpackages notitles parallel-fetch sandbox sfperms splitdebug strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://mirror.muntinternet.net/pub/gentoo/ http://gentoo.tiscali.nl/" LC_ALL="en_US.UTF-8" LDFLAGS="" LINGUAS="en nl he" MAKEOPTS="-j4" PKGDIR="/keeps/gentoo/packages/elmer" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/mnt/alt/portage-tmp" PORTDIR="/keeps/gentoo/portage" PORTDIR_OVERLAY="/keeps/gentoo/local" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="7zip X Xaw3d a52 aac aalib accessibility ads alsa amr amrnb amrwb ao aoss apache2 ares arts asf async asyncns audiofile audit automount avfs bash-completion berkdb bidi bittorrent bl bluetooth bzip2 c++ cairo caps catalogs cblas cdb cddb cdparanoia cdr chardet cjk cli cpudetection cracklib crypt cups curl custom-cflags dbtool dbus device-mapper dga dia directfb djbfft domainkeys dts dv dvd dvdr dvdread dxr3 edl elf emacs enca encode esd examples exif expat fam fame fastbuild fastcgi fbcon ffmpeg filter flac fontconfig foomaticdb fortran ftp gadu galago gd gdbm geoip ggi gif gimp gimpprint glep glib glut gmp gnome gnutls gphoto2 gpm gs gsl gtk gtk2 gtkhtml hal hesiod hppa ical icecast iconv idea idn imagemagick imlib immqt-bc inquisitio ipv6 isdnlog jack javascript jingle jpeg jpeg2k kde kerberos lapack lcms ldap leim libcaca libnotify libsamplerate libwww live logrotate logwatch lua lzo mad matroska memcache mhash midi mikmod mmap mng modplug motif mozbranding mp3 mpi mssql mudflap musepack mysql nas ncurses netpbm network-cron nfconntrack nfs nls nntp nptl nptlonly nsplugin offensive ogg openexr opengl openmp oss ots overlays pam pango pbs pch pcre pdf pdo-external perl php pic plotutils plugins png portage portaudio postgres povray ppds pppd pulseaudio python pyzord qdbm qt3 qt3support quotas raw readline recode reflection rpc rrdtool rtc ruby samba sasl scanner scim sdl seamonkey server session sid slang slp sms sndfile snmp soundex speex spell spl sqlite ssl startup-notification suhosin svg swat sysfs syslog talkfilters tcl tcpd test tga theora threads thunar-vfs tidy tiff timidity tk tools truetype twolame udev unicode unzip urandom usb userlocales utempter utf v4l v4l2 vanim vcd vidix vim-syntax vorbis wavpack webdav webinstall winbind wlan wma wmf xanim xattr xchattext xcomposite xface xml xml2 xmpi xorg xpm xrandr xscreensaver xsettings xulrunner xv xvid xvmc zip zip-external zlib" ALSA_CARDS="ad1889 usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl he" USERLAND="GNU" VIDEO_CARDS="stifb fbdev matrox" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS dertobi123@gentoo.org 2008-04-12 17:59:37 0000 ppc stable vapier@gentoo.org 2008-04-12 18:30:24 0000 that isnt a bug in m4, so it should be fine to stabilize jer@gentoo.org 2008-04-13 05:09:15 0000 (In reply to comment #9) > that isnt a bug in m4, so it should be fine to stabilize OK. Want a new bug for that? Oh, and after tests, it of course wouldn't ever do make check through src_test() this way... Stable for HPPA. rbu@gentoo.org 2008-04-14 01:05:17 0000 GLSA vote: I vote NO based on the fact that the vulnerabilities are probably not exploitable, see comment 2. py@gentoo.org 2008-04-14 08:51:48 0000 no too, and closing. pva@gentoo.org 2008-04-21 08:03:02 0000 Fixed in release snapshot.