Bug 34294

Comment 1 Andrea Barisani (RETIRED) 2003-11-24 15:26:20 UTC

Created attachment 21221 [details, diff]
iproute netlink security patch

Comment 2 solar (RETIRED) 2003-12-10 15:09:48 UTC

Andrea,
Pleae add this patch to iproute if it's needed and package mask older versions.
Also please inform arch herds if they need to mark stable where applicable.

Comment 3 Andrea Barisani (RETIRED) 2004-03-30 04:25:03 UTC

Unfortunately this bug is really old, I'll handle it this week.

Comment 4 Andrea Barisani (RETIRED) 2004-04-06 07:17:22 UTC

This bug was apparently acknowledged only by RedHat, I'm attaching an updated
ebuild + patch. I've tested it and it works fine. Could someone review this and
commit the update?

Anyway I don't think that we need a GLSA for this. 

Comment 5 Andrea Barisani (RETIRED) 2004-04-06 07:18:41 UTC

Created attachment 28787 [details]
updated ebuild

Comment 6 Andrea Barisani (RETIRED) 2004-04-06 07:19:53 UTC

Created attachment 28788 [details, diff]
filesdir patch

Comment 7 SpanKY 2004-04-06 08:11:34 UTC

added the patch to iproute-20010824-r5

Comment 8 Andrea Barisani (RETIRED) 2004-04-06 15:29:20 UTC

Thanks vapier.  Please everybody test the new ebuild and mark it stable when ready.

Comment 9 SpanKY 2004-04-06 15:39:51 UTC

when building against 2.4 headers we see Bug 46978 ... i'm tracking it down now

Comment 10 SpanKY 2004-04-06 21:02:28 UTC

Bug 46978 has been squashed so we can start pushing at arch maintainers ...

i tested it on my x86/hppa/mips/sparc and they all worked ...

could someone from ppc/alpha/amd64 test -r5 and make sure it's happy please ?

Comment 11 Andrea Barisani (RETIRED) 2004-04-06 23:16:09 UTC

Works fine for me on ppc.

Comment 12 Bryan Østergaard (RETIRED) 2004-04-07 03:12:06 UTC

Works fine on alpha.

Comment 13 Jon Portnoy (RETIRED) 2004-04-07 07:13:56 UTC

Stable on AMD64.

Comment 14 Thierry Carrez (RETIRED) 2004-04-07 08:20:43 UTC

OK so we're ready for a GLSA, if one is needed. Changing product/component.

-K

Comment 15 Andrea Barisani (RETIRED) 2004-04-07 08:40:02 UTC

It's still marked unstable on ppc and alpha. btw I vote against a GLSA, any comments?

Comment 16 Thierry Carrez (RETIRED) 2004-04-07 08:51:55 UTC

Setting component to Security as this is a vulnerability.

Comment 17 Bryan Østergaard (RETIRED) 2004-04-07 10:48:37 UTC

Marked stable on Alpha.

Comment 18 Thierry Carrez (RETIRED) 2004-04-07 13:04:14 UTC

The vuln is 5 month-old and not very severe (DoS by very determined local users, only on systems having iproute installed). I also vote against a GLSA for this one.

-K

Comment 19 SpanKY 2004-04-07 15:57:46 UTC

it's your call daddy-o

Comment 20 Kurt Lieber (RETIRED) 2004-04-08 01:14:55 UTC

the bug may be old, but our arches were still vulnerable to it until just a couple days ago.  Thus, I think we need to issue a GLSA for this one.

Comment 21 solar (RETIRED) 2004-04-08 01:19:42 UTC

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0856
As of now it's still currently under review and has no votes. 
Is anybody aware of any other vendors doing a sec announcements for this?

Comment 22 Thierry Carrez (RETIRED) 2004-04-09 06:01:25 UTC

GLSA 200404-10 published.

Comment 23 SpanKY 2004-04-18 22:04:57 UTC

*** Bug 48290 has been marked as a duplicate of this bug. ***