Bug 93784 - dev-ml/ocaml-mysql includes tempfile-vulnerable shtool
Bug#: 93784 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Other Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: zataz@zataz.net
Component: Vulnerabilities
URL: 
Summary: dev-ml/ocaml-mysql includes tempfile-vulnerable shtool
Keywords:  
Status Whiteboard: B3 [glsa]
Opened: 2005-05-24 03:09 0000
Description:   Opened: 2005-05-24 03:09 0000 
Hello,

ocan-mysql is using a vulnerable version off shtool.

ocaml-mysql-1.0.3/etc/shtool

Regards.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-05-24 05:22:29 0000 ------- 
Romang, did you contact upstream for this ? Or do you wait on shtool devs ?

------- Comment #2 From Romang 2005-05-24 06:00:04 0000 ------- 
Hello,

If shtool is corrected then we can contact upstream ?

What did you think about.

Regards.

------- Comment #3 From Thierry Carrez (RETIRED) 2005-05-24 12:25:20 0000 ------- 
I would say we should forward them the same fix tigger wrote for shtool.

------- Comment #4 From Thierry Carrez (RETIRED) 2005-05-26 03:10:43 0000 ------- 
Eric, did you forward upstream the fix yet ?
ml herd: please patch the included shtool with the fix from bug 93782

------- Comment #5 From Romang 2005-05-26 03:32:39 0000 ------- 
Hello,

Yes upstream is informed.

Regards.

------- Comment #6 From Thierry Carrez (RETIRED) 2005-05-29 03:43:53 0000 ------- 
Hmm we should wait for a more complete patch. Stay tuned...

------- Comment #7 From Matthieu Sozeau (RETIRED) 2005-05-31 06:59:34 0000 ------- 
I'm waiting...

------- Comment #8 From Tavis Ormandy (RETIRED) 2005-05-31 07:16:18 0000 ------- 
(In reply to comment #7)
> I'm waiting... 

please use attachment 60117 [details]

------- Comment #9 From Matthieu Sozeau (RETIRED) 2005-06-02 08:14:02 0000 ------- 
Should be fixed in CVS now.

------- Comment #10 From Thierry Carrez (RETIRED) 2005-06-02 09:16:26 0000 ------- 
Thx Matthieu. We'll close this when the GLSA will be out.

------- Comment #11 From Thierry Carrez (RETIRED) 2005-06-11 10:47:54 0000 ------- 
GLSA 200506-08

------- Comment #12 From Jesse D. Guardiani 2005-08-01 09:04:43 0000 ------- 
This new patch fails on my system:

>>> Source unpacked.
 * Applying ocaml-mysql-1.0.3-head.patch ...                                   
                                                                               
              [ ok ]
 * Applying ocaml-mysql-1.0.3-shtool.patch ...

 * Failed Patch: ocaml-mysql-1.0.3-shtool.patch !
 *  ( /usr/portage/dev-ml/ocaml-mysql/files/ocaml-mysql-1.0.3-shtool.patch )
 *
 * Include in your bugreport the contents of:
 *
 *  
/var/tmp/portage/ocaml-mysql-1.0.3-r1/temp/ocaml-mysql-1.0.3-shtool.patch-13375.out


!!! ERROR: dev-ml/ocaml-mysql-1.0.3-r1 failed.
!!! Function epatch, Line 359, Exitcode 0
!!! Failed Patch: ocaml-mysql-1.0.3-shtool.patch!
!!! If you need support, post the topmost build error, NOT this status message.

Exit 1


sh.common doesn't exist:

ls -al /var/tmp/portage/ocaml-mysql-1.0.3-r1/work/ocaml-mysql-1.0.3/
total 273
drwxr-xr-x  4 root root    616 Jan 27  2004 .
drwx------  3 root root     88 Aug  1 11:51 ..
-rw-r--r--  1 root root   1931 Jan 27  2004 .ocmysql.prcs_aux
-rw-r--r--  1 root root   3065 Jan 27  2004 CHANGES
-rw-r--r--  1 root root  26536 Jan 27  2004 COPYING
-rw-r--r--  1 root root    138 Jan 27  2004 META
-rw-r--r--  1 root root    142 Jan 27  2004 META.in
-rw-r--r--  1 root root    124 Jan 27  2004 Makefile.conf
-rw-r--r--  1 root root    410 Jan 27  2004 Makefile.in
-rw-r--r--  1 root root  23881 Jan 27  2004 OCamlMakefile
-rw-r--r--  1 root root   3139 Jan 27  2004 README
-rw-r--r--  1 root root     50 Jan 27  2004 VERSION
-rwxr-xr-x  1 root root 113197 Jan 27  2004 configure
-rw-r--r--  1 root root   1686 Jan 27  2004 configure.in
-rw-r--r--  1 root root   1692 Jan 27  2004 demo.ml
drwxr-xr-x  3 root root     72 Jan 27  2004 doc
drwxr-xr-x  2 root root    216 Aug  1 11:51 etc
-rwxr-xr-x  1 root root   5598 Jan 27  2004 install-sh
-rw-r--r--  1 root root  22689 Jan 27  2004 mysql.ml
-rw-r--r--  1 root root  15094 Jan 27  2004 mysql.mli
-rw-r--r--  1 root root  14498 Jan 27  2004 mysql_stubs.c
-rw-r--r--  1 root root   2583 Jan 27  2004 ocmysql.prj

Which file was that patch supposed to be applied to?

------- Comment #13 From Thierry Carrez (RETIRED) 2005-08-02 02:12:25 0000 ------- 
I can confirm it's broken. It's not a security bug though, so you should open a
new bug (critical/blocker) saying ocaml_mysql stable can't be emerged currently.
You can assign it to mattam@gentoo.org and/or the ml@gentoo.org herd.