First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 52945
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
jaervosz: ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 52945 depends on: Show dependency tree
Bug 52945 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-06-03 21:58 0000 
I'm not completely sure that this affects the version in portage.

A format string vulnerability exists when tripwire generates an
email report (i.e. 'tripwire -m c -M'). 

More details on Bugtraq

http://www.securityfocus.com/archive/1/365036/2004-05-31/2004-06-06/0

------- Comment #1 From Dan Margolis (RETIRED) 2004-06-04 08:33:28 0000 ------- 
Tripwire has confirmed this vulnerability on bugtraq. ``I will endeavor to
patch the sourceforge code base as soon as possible. In the meantime, it is
strongly recommended that you apply Paul's patch and rebuild from source.''

------- Comment #2 From Sune Kloppenborg Jeppesen 2004-06-04 12:10:57 0000 ------- 
Tavis please apply the supplied patch in the Bugtraq link and bump the
ebuild(The patch has been approved by Tripwire). An official patch is coming
out soon. But there is currently no ETA for the official fix so we better use
the one Bugtraq one until then.

------- Comment #3 From Tavis Ormandy (RETIRED) 2004-06-04 12:40:43 0000 ------- 
fixed in cvs, tripwire-2.3.1.2-r1 has the patch

------- Comment #4 From Sune Kloppenborg Jeppesen 2004-06-04 13:06:09 0000 ------- 
x86 please mark stable.

Target keywords: x86

------- Comment #5 From Jon Portnoy (RETIRED) 2004-06-04 13:20:41 0000 ------- 
Looks like the maintainer already did 8)

------- Comment #6 From Sune Kloppenborg Jeppesen 2004-06-04 13:31:58 0000 ------- 
GLSA drafted ready to go when reviewed.

------- Comment #7 From Sune Kloppenborg Jeppesen 2004-06-04 13:49:03 0000 ------- 
GLSA good to go.

Koon will you do the honor along with the sitecopy GLSA?

------- Comment #8 From Sune Kloppenborg Jeppesen 2004-06-04 14:24:13 0000 ------- 
Taviso thanks for your quick resolution. Would you please also remove the
vulnerable ebuild from portage?

------- Comment #9 From Thierry Carrez (RETIRED) 2004-06-04 14:48:38 0000 ------- 
GLSA 200406-02

------- Comment #10 From Tavis Ormandy (RETIRED) 2004-06-05 11:33:58 0000 ------- 
no problem, old ebuilds removed
First Last Prev Next    No search results available      Search page      Enter new bug