First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 68407
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
openssl-0.9.7c-tempfile.patch Patch from RedHat bug patch Thierry Carrez (RETIRED) 2004-10-21 08:08 0000 2.13 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 68407 depends on: Show dependency tree
Bug 68407 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-10-21 07:59 0000 
CAN-2004-0975

The der_chop script in the openssl package in Trustix Secure Linux 1.5
through 2.1, and possibly other operating systems, allows local users
to overwrite files via a symlink attack on temporary files.

------- Comment #1 From Thierry Carrez (RETIRED) 2004-10-21 08:08:20 0000 ------- 
Created an attachment (id=42317) [details]
Patch from RedHat bug

Patch from RedHat

------- Comment #2 From Thierry Carrez (RETIRED) 2004-10-21 08:11:23 0000 ------- 
Our /etc/ssl/misc/der_chop is affected.
Its use looks deprecated. It should be patched or removed.

------- Comment #3 From Thierry Carrez (RETIRED) 2004-10-25 00:34:57 0000 ------- 
This is no-herd and aliz doesn't seem active ATM. Looks like we'll have to fix
this one ourselves.

If it's really deprecated (like they say on the RedHat bug), then it should
probably be removed rather than fixed.

------- Comment #4 From Thierry Carrez (RETIRED) 2004-10-30 09:25:40 0000 ------- 
Crypto herd : there is no sign from Aliz. I know openssl is technically
no-herd, but I thought you could help.

The idea is to patch or remove the der_chop script. Thanks is advance :)

------- Comment #5 From Thierry Carrez (RETIRED) 2004-11-05 06:23:35 0000 ------- 
Given patch applies cleanly to 0.9.7d-r1

------- Comment #6 From Thierry Carrez (RETIRED) 2004-11-05 07:16:55 0000 ------- 
Thx to dragonheart for the patch.
Arches please test and mark 0.9.7d-r2 stable

------- Comment #7 From Gustavo Zacarias (RETIRED) 2004-11-05 07:34:34 0000 ------- 
>>> md5 src_uri ;-) openssl-0.9.7d.tar.gz
>>> md5 src_uri ;-) openssl-0.9.6m.tar.gz
>>> Unpacking source...
>>> Unpacking openssl-0.9.7d.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
>>> Unpacking openssl-0.9.6m.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
 * Applying openssl-0.9.7c-tempfile.patch ...                                               [ ok ] * Applying openssl-0.9.7d-gentoo.diff ...                                                  [ ok ] * Applying openssl-0.9.7d-smime.patch ...                                                  [ ok ]sed: -e expression #1, char 88: Unknown option to `s'

!!! ERROR: dev-libs/openssl-0.9.7d-r2 failed.
!!! Function src_unpack, Line 98, Exitcode 1
!!! sed failed
!!! If you need support, post the topmost build error, NOT this status message.

------- Comment #8 From Markus Rothe 2004-11-05 13:09:15 0000 ------- 
works for me (ebuild/patch and ssl itself).

stable on ppc64.

Markus

------- Comment #9 From Karol Wojtaszek (RETIRED) 2004-11-05 14:34:07 0000 ------- 
Stable on amd64

------- Comment #10 From Bryan Østergaard (RETIRED) 2004-11-05 17:46:49 0000 ------- 
Stable on alpha.

------- Comment #11 From Jason Wever (RETIRED) 2004-11-05 19:52:02 0000 ------- 
sparc'd

------- Comment #12 From Thierry Carrez (RETIRED) 2004-11-06 01:13:47 0000 ------- 
Security, please vote on GLSA need. I /think/ this doesn't warrant a GLSA
(der_chop being quite deprecated), but we issued other GLSAs for Netatalk's
etc2ps.sh and krb5's send-pr.sh... Maybe a grouped GLSA with the davfs and
groff ones ?

------- Comment #13 From Sune Kloppenborg Jeppesen 2004-11-06 04:01:12 0000 ------- 
I vote for a grouped GLSA.

------- Comment #14 From Thierry Carrez (RETIRED) 2004-11-06 05:36:12 0000 ------- 
Waiting for davfs

------- Comment #15 From Joshua Kinard 2004-11-07 01:51:22 0000 ------- 
mips stable.

------- Comment #16 From Thierry Carrez (RETIRED) 2004-11-07 10:26:44 0000 ------- 
davfs will take too much time, issuing GLSA with only openssl and groff

------- Comment #17 From Thierry Carrez (RETIRED) 2004-11-08 02:50:46 0000 ------- 
GLSA 200411-15
arm hppa ia64 s390 : please mark stable to benefit from GLSA
First Last Prev Next    No search results available      Search page      Enter new bug