93784 2005-05-24 03:09 0000 dev-ml/ocaml-mysql includes tempfile-vulnerable shtool 2005-08-02 02:12:25 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Other RESOLVED FIXED B3 [glsa] P2 minor --- 93782 1 zataz@zataz.net security@gentoo.org ml@gentoo.org zataz@zataz.net 2005-05-24 03:09:31 0000 Hello, ocan-mysql is using a vulnerable version off shtool. ocaml-mysql-1.0.3/etc/shtool Regards. koon@gentoo.org 2005-05-24 05:22:29 0000 Romang, did you contact upstream for this ? Or do you wait on shtool devs ? zataz@zataz.net 2005-05-24 06:00:04 0000 Hello, If shtool is corrected then we can contact upstream ? What did you think about. Regards. koon@gentoo.org 2005-05-24 12:25:20 0000 I would say we should forward them the same fix tigger wrote for shtool. koon@gentoo.org 2005-05-26 03:10:43 0000 Eric, did you forward upstream the fix yet ? ml herd: please patch the included shtool with the fix from bug 93782 zataz@zataz.net 2005-05-26 03:32:39 0000 Hello, Yes upstream is informed. Regards. koon@gentoo.org 2005-05-29 03:43:53 0000 Hmm we should wait for a more complete patch. Stay tuned... mattam@gentoo.org 2005-05-31 06:59:34 0000 I'm waiting... taviso@gentoo.org 2005-05-31 07:16:18 0000 (In reply to comment #7) > I'm waiting... please use attachment 60117 mattam@gentoo.org 2005-06-02 08:14:02 0000 Should be fixed in CVS now. koon@gentoo.org 2005-06-02 09:16:26 0000 Thx Matthieu. We'll close this when the GLSA will be out. koon@gentoo.org 2005-06-11 10:47:54 0000 GLSA 200506-08 jesse@wingnet.net 2005-08-01 09:04:43 0000 This new patch fails on my system: >>> Source unpacked. * Applying ocaml-mysql-1.0.3-head.patch ... [ ok ] * Applying ocaml-mysql-1.0.3-shtool.patch ... * Failed Patch: ocaml-mysql-1.0.3-shtool.patch ! * ( /usr/portage/dev-ml/ocaml-mysql/files/ocaml-mysql-1.0.3-shtool.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/ocaml-mysql-1.0.3-r1/temp/ocaml-mysql-1.0.3-shtool.patch-13375.out !!! ERROR: dev-ml/ocaml-mysql-1.0.3-r1 failed. !!! Function epatch, Line 359, Exitcode 0 !!! Failed Patch: ocaml-mysql-1.0.3-shtool.patch! !!! If you need support, post the topmost build error, NOT this status message. Exit 1 sh.common doesn't exist: ls -al /var/tmp/portage/ocaml-mysql-1.0.3-r1/work/ocaml-mysql-1.0.3/ total 273 drwxr-xr-x 4 root root 616 Jan 27 2004 . drwx------ 3 root root 88 Aug 1 11:51 .. -rw-r--r-- 1 root root 1931 Jan 27 2004 .ocmysql.prcs_aux -rw-r--r-- 1 root root 3065 Jan 27 2004 CHANGES -rw-r--r-- 1 root root 26536 Jan 27 2004 COPYING -rw-r--r-- 1 root root 138 Jan 27 2004 META -rw-r--r-- 1 root root 142 Jan 27 2004 META.in -rw-r--r-- 1 root root 124 Jan 27 2004 Makefile.conf -rw-r--r-- 1 root root 410 Jan 27 2004 Makefile.in -rw-r--r-- 1 root root 23881 Jan 27 2004 OCamlMakefile -rw-r--r-- 1 root root 3139 Jan 27 2004 README -rw-r--r-- 1 root root 50 Jan 27 2004 VERSION -rwxr-xr-x 1 root root 113197 Jan 27 2004 configure -rw-r--r-- 1 root root 1686 Jan 27 2004 configure.in -rw-r--r-- 1 root root 1692 Jan 27 2004 demo.ml drwxr-xr-x 3 root root 72 Jan 27 2004 doc drwxr-xr-x 2 root root 216 Aug 1 11:51 etc -rwxr-xr-x 1 root root 5598 Jan 27 2004 install-sh -rw-r--r-- 1 root root 22689 Jan 27 2004 mysql.ml -rw-r--r-- 1 root root 15094 Jan 27 2004 mysql.mli -rw-r--r-- 1 root root 14498 Jan 27 2004 mysql_stubs.c -rw-r--r-- 1 root root 2583 Jan 27 2004 ocmysql.prj Which file was that patch supposed to be applied to? koon@gentoo.org 2005-08-02 02:12:25 0000 I can confirm it's broken. It's not a security bug though, so you should open a new bug (critical/blocker) saying ocaml_mysql stable can't be emerged currently. You can assign it to mattam@gentoo.org and/or the ml@gentoo.org herd.