CAN-2004-0969 The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
Patch on RedHat bug doesn't apply to our groffer either... but it looks vulnerable nevertheless. Maybe we should wait for RedHat to patch and see if it applies ?
The 1.19 patch posted on the RedHat bug (see URL) should apply to 1.19-r1. Then we could push 1.19 to stable on all arches. It's probably simpler than backporting the fix for 1.18. base-system/vapier: please have a look :)
umm, we dont have 1.19-r1 we have 1.19.1-r1 ... and dont lie to me, but that patch doesnt even come CLOSE to applying cleanly to 1.19.1-r1 ;) i just moved 1.19.1-r1 to stable for unrelated reasons, and many other arches already have it as stable ... current KEYWORDS: KEYWORDS="alpha amd64 arm hppa ia64 ~mips ~ppc ~ppc64 s390 ~sparc x86" figure out what you wanna do :)
heh, blame Mark Cox :)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278265 Debian bug report with backported patch
Created attachment 43158 [details, diff] Patch from Debian Patch from Debian bug. Applies correctly : patching file contrib/groffer/groffer.sh Hunk #1 succeeded at 3217 (offset -11 lines).
i assume that's for groff-1.18.1 ... why should we bother ? groff-1.19.1 looks like this now: groff-1.19.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ~ppc ~ppc64 s390 sparc x86"
No, the patch applies to 1.19.1-r1 AFAICT 1.19.1-r1 is still vulnerable, that's why we should care.
touche salesman groff-1.19.1-r2 now in cvs with aforementioned patch
Arches please test and mark stable. Note that the only difference with 1.19.1-r1 (for those arches having that version stable) is the tempfile handling in the groffer utility.
Stable on alpha.
sparc stable.
Please apply this fix to 1.18 too. multibyte patch for 1.19 is not yet released.
groff-1.19.1-r2 is now tested and marked stable on ppc64. Markus
stable on amd64
if someone posts a patch that'll apply cleanly to 1.18.1-r4 i'll add a 1.18.1-r5
moved arm/hppa/ia64/s390/x86 to stable with 1.19.1-r2
ppc stable
Stable on mips.
ppc64 is stable... ppc64: please remove yourself from Cc when you mark stable. Security, please vote on GLSA need. Maybe a grouped GLSA with the davfs and openssl ones ?
Created attachment 43389 [details] groff-1.18.1.1.ebuild groff-1.18.1.1.ebuild with updated Debian patch.
I vote for a grouped GLSA on this one as well.
waiting on davfs2 x86 stable
davfs will take too much time, issuing GLSA with only openssl and groff
GLSA 200411-15