| Summary: | app-office/gnucash < 2.0.5 insecure temp file (CVE-2007-0007) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Matt Drew (RETIRED) <aetius> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | minor | CC: | avuton, gnome-office+disabled, hkbst, seemant | ||||||
| Priority: | High | ||||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://sourceforge.net/project/shownotes.php?release_id=487446 | ||||||||
| Whiteboard: | B3 [noglsa] jaervosz | ||||||||
| Package list: | Runtime testing required: | --- | |||||||
| Bug Depends on: | 161781, 162010 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Matt Drew (RETIRED)
2007-02-20 01:02:46 UTC
setting status. Ok 2.0.5 is in the tree, thanks seemant & dsd. Arches, please stabilize 2.0.5 . This new version of gnucash pulls in these: dev-scheme/guile-1.8.1-r3 dev-scheme/slib-3.1.1-r1 dev-libs/g-wrap-1.9.6-r3 most worrying is dev-scheme/guile-1.8.1-r3 which was added to the tree today.. I'm not very convertable with the idea of stabilizing it. Would it be possible to make an ebuild that depends on guile-1.6 (like there is for gnucash-2.0.4) (In reply to comment #3) > most worrying is dev-scheme/guile-1.8.1-r3 which was added to the tree today.. > I'm not very convertable with the idea of stabilizing it. Would it be possible > to make an ebuild that depends on guile-1.6 (like there is for gnucash-2.0.4) > Then stabilize -r1 (which has been in the tree since Jan 25th), as gnucash-2.0.5 wants >=dev-scheme/guile-1.8. For g-wrap, I would go with 1.9.6-r1, because since then, hkBst started breaking ChangeLog format badly, which makes me uncomfortable. For slib, x86 will stay with 3.1.1, which is currently marked stable, unless suggested otherwise by maintainers or security. I'm off to test now. (In reply to comment #4) I synced the tree again, and... > Then stabilize -r1 (which has been in the tree since Jan 25th), as > gnucash-2.0.5 wants >=dev-scheme/guile-1.8. Gah, -r1 no longer in the tree. > For g-wrap, I would go with 1.9.6-r1, because since then, hkBst started > breaking ChangeLog format badly, which makes me uncomfortable. Same here, only -r3 available, in the tree for 2 days. > For slib, x86 will stay with 3.1.1, which is currently marked stable, unless > suggested otherwise by maintainers or security. At least this still stands. So, I'm joining Oliver in his worries about too new packages. (In reply to comment #3) > This new version of gnucash pulls in these: > dev-scheme/guile-1.8.1-r3 there are still a few open bugs which are easy to fix by adding use flag checking for "deprecated" and for beast and geda depending on guile-1.6*. All this stuff has been detected because guile-1.8.1 has been in the tree since 22 Jan 2007. Tests still fail though. > dev-scheme/slib-3.1.1-r1 no reason not to stable. It installs some more files than slib-3.1.1 does, so it works with guile-1.6.8 also. > dev-libs/g-wrap-1.9.6-r3 The bug where reinstalling g-wrap broke it was only recently fixed. I've removed all versions which suffered from this. Tests still fail, probably because of missing guile lib. Gnucash is the only package depending on g-wrap. G-wrap has been in the tree since 19 Jan 2007. g-wrap: * QA Notice: The following files contain executable stacks * Files with executable stacks will not work properly (or at all!) * on some architectures/operating systems. A bug should be filed * at http://bugs.gentoo.org/ to make sure the file is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include this file in your report: * /var/tmp/portage/dev-libs/g-wrap-1.9.6-r3/temp/scanelf-execstack.log * RWX --- --- usr/lib/libffi.so.4.0.1 gnucash: grep: /usr/lib/libguile-ltdl.la: No such file or directory /bin/sed: can't read /usr/lib/libguile-ltdl.la: No such file or directory libtool: link: `/usr/lib/libguile-ltdl.la' is not a valid libtool archive make[4]: *** [libgw-core-utils.la] Error 1 make[4]: Leaving directory `/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5/src/core-utils' make[3]: *** [all] Error 2 make[3]: Leaving directory `/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5/src/core-utils' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5' make: *** [all] Error 2 !!! ERROR: app-office/gnucash-2.0.5 failed. Call stack: ebuild.sh, line 1614: Called dyn_compile ebuild.sh, line 971: Called qa_call 'src_compile' environment, line 3517: Called src_compile gnucash-2.0.5.ebuild, line 83: Called die [ebuild R ] dev-scheme/guile-1.8.1-r3 USE="deprecated discouraged elisp networking nls regex threads -debug -debug-freelist -debug-malloc" 0 kB [ebuild N ] app-office/gnucash-2.0.5 USE="chipcard doc hbci nls ofx quotes -debug" 0 kB on x86 (and most likely any other arch):
"
# emerge -av =app-office/gnucash-2.0.5
These are the packages that would be merged, in order:
Calculating dependencies \
!!! Multiple versions within a single package slot have been
!!! pulled into the dependency graph:
('ebuild', '/', 'dev-scheme/guile-1.6.7', 'merge') pulled in by
('ebuild', '/', 'dev-scheme/slib-3.1.1', 'merge')
('ebuild', '/', 'dev-scheme/guile-1.8.1-r3', 'merge') pulled in by
('ebuild', '/', 'dev-libs/g-wrap-1.9.6-r3', 'merge')
[...]
"
make sure that you don't have dev-scheme/guile installed when trying to reproduce.
Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19-gentoo-r5 i686)
=================================================================
System uname: 2.6.19-gentoo-r5 i686 AMD Athlon(tm) XP 2400+
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 11 Mar 2007 18:50:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python: 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-march=athlon-xp -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.ynet.sk/pub "
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
LINGUAS="en de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://192.168.0.1/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi aiglx alsa audiofile avahi beagle berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt css cups dbus dlloader dri dvd dvdr dvdread eds emboss encode evo exif fam fbcon ffmpeg firefox flac fortran gdbm gif ginac gmp gnome gnutls gphoto2 gpm gstreamer gtk gtk2 hal iconv icq ipod ipv6 isdnlog java javascript jpeg jpeg2k lcms ldap libg++ mad midi mikmod mime mmx mmxext mono mozsvg mp3 mpeg msn nautilus ncurses nfs nls nptl nptlonly nsplugin nvidia offensive ogg oggvorbis opengl pam pcre pdf perl plotutils png posix ppds pppd python qt3 qt4 quicktime readline real reflection ruby sdl session sockets spell spl sqlite3 sse ssl subtitles svg tcpd tetex theora threads tiff truetype truetype-fonts type1-fonts unicode usb vcd vorbis win32codecs wma x86 xine xml xorg xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 113206 [details, diff]
patch against 2.0.5 ebuild
I was able to compile with the following changes to gnucash-2.0.5.ebuild:
RDEPEND=">=dev-libs/glib-2.4.0
- >=dev-scheme/guile-1.8
- =dev-scheme/slib-3.1.1*
+ ~dev-scheme/guile-1.6.8
+ =dev-scheme/slib-3.1.1-r1
>=sys-libs/zlib-1.1.4
>=dev-libs/popt-1.5
>=x11-libs/gtk+-2.4
@@ -54,9 +54,9 @@
pkg_setup() {
built_with_use gnome-extra/libgsf gnome || die "gnome-extra/libgsf must be built with gnome"
built_with_use x11-libs/goffice gnome || die "x11-libs/goffice must be built with gnome"
- if ! built_with_use dev-scheme/guile regex deprecated discouraged; then
- die "dev-scheme/guile must be built with USE=\"regex deprecated discouraged\""
- fi
+# if ! built_with_use dev-scheme/guile regex deprecated discouraged; then
+# die "dev-scheme/guile must be built with USE=\"regex deprecated discouraged\""
+# fi
Created attachment 113207 [details]
patched gnucash-2.0.5.ebuild
I had to re-emerge g-wrap after downgrading guile to make gnucash not fail to compile.
Also please don't check for discouraged flag when checking for deprecated flag already. It is implied. Also adding gnome-office, as they are in metadata.xml, too With hkbst's changes it emerges and works. (In reply to comment #7) > gnucash: > > grep: /usr/lib/libguile-ltdl.la: No such file or directory > /bin/sed: can't read /usr/lib/libguile-ltdl.la: No such file or directory > libtool: link: `/usr/lib/libguile-ltdl.la' is not a valid libtool archive Since gnucash-2.0.5 is already in testing I take it not everybody is getting this. Is that correct? I've created bug 171603 for my compile issues. Sorry, but could I get a definitive list of what we should be doing here so we can move on this? Thanks (In reply to comment #15) > Sorry, but could I get a definitive list of what we should be doing here so we > can move on this? +1 Also the ~ppc keyword (and alpha/ia64 ones ...) has been dropped in >=gnucash-2.0.4. Has it been dropped just by mistake or is there any reason for it? Ok, according to my understanding we need ppc, x86 and sparc to mark stable (see Status Whiteboard). If that is not possible we'll go back to ebuild status and ask maintainers for input. Arches is it possible for you to mark stable? (In reply to comment #17) > Arches is it possible for you to mark stable? Not as long as guile 1.8 is requested by gnucash 2.0.5, as it fails with that on my system (see comment #7, but not with 1.6*) and version 1.8 has more issues with several other programs. (In reply to comment #16) > Also the ~ppc keyword (and alpha/ia64 ones ...) has been dropped in > >=gnucash-2.0.4. Has it been dropped just by mistake or is there any reason for > it? they've been dropped pending g-wrap rekeywording. (In reply to comment #18) > on my system (see comment #7, but not with 1.6*) and version 1.8 has more > issues with several other programs. Christian, try re-emerging g-wrap. So hummm, what do we have to do here? on x86: after several interruptions due dependencies on particular USE flags and failed tests (see bug 163894, bug 164266) i was able to merge: app-office/gnucash-2.0.5 USE="nls -chipcard -debug -doc -hbci -ofx -quotes" with dev-libs/g-wrap-1.9.6-r3 dev-scheme/guile-1.8.1-r3 USE="deprecated discouraged nls regex threads -debug -debug-freelist -debug-malloc -elisp -networking" to be honest, i expected gnucash to immediately die with some sort of fatal error, and was quite a bit surprised as this didn't happen, but i was introduced to a rather big application, with a nice looking gui, that contained lot's of buttons and menus i've no clue about. as i have never worked with a similar application before, don't own a bank or do some fancy stock market stuff, i couldn't do more, then verify that i'm not able to crash the program with my unguided mouse clicks ;-) Back to ebuild status to get an ebuild arches can mark stable. Seemant/gnome-office it is possible to backport the fix to our latest stable version? So after rebuilding the dependencies correctly, gnucash 2.0.5 works on my system with guile 1.8. hkbst, could guile 1.8 go stable instead of backporting the patch? (In reply to comment #24) > So after rebuilding the dependencies correctly, gnucash 2.0.5 works on my > system with guile 1.8. hkbst, could guile 1.8 go stable instead of backporting > the patch? My statements in comment #6 are still valid. I think it would be better to make gnucash also accept guile-1.6.8 and stabilize that version. done, but slib needs to go stable first now Thx Seemant. Arches please test and mark stable. Target keywords are: dev-scheme/slib-3.1.1.ebuild:KEYWORDS="alpha amd64 ia64 ppc sparc x86" Or later revisions. gnucash-2.0.5.ebuild:KEYWORDS="alpha amd64 ia64 ppc sparc x86" I hope this covers everything. !!! ERROR: app-office/gnucash-2.0.5 failed. Call stack: ebuild.sh, line 1630: Called dyn_setup ebuild.sh, line 702: Called qa_call 'pkg_setup' ebuild.sh, line 38: Called pkg_setup gnucash-2.0.5.ebuild, line 57: Called built_with_use '=dev-scheme/guile-1.8*' 'regex' 'deprecated' 'discouraged' eutils.eclass, line 1654: Called die !!! Unable to resolve =dev-scheme/guile-1.8* to an installed package !!! If you need support, post the topmost build error, and the call stack if relevant. !!! A complete build log is located at '/var/tmp/portage/app-office/gnucash-2.0.5/temp/build.log'. seemant, the USE flag check is b0rked now. If I have guile 1.6 the check will Back to ebuild again it seems. Seemant please fix and readd arches. I've taken the liberty to fix the guile use flag checking and changed the slib dependency to a version that works with guile-1.6.8. (In reply to comment #30) > I've taken the liberty to fix the guile use flag checking and changed the slib > dependency to a version that works with guile-1.6.8. Here we go again. Great, then lets get arches rocking again. x86 ends the endless odysee sparc stable. gnucash-2.0.5 ~ppc'd for now, i'll mark it stable in a few days or so. If we're in a hurry I'm also fine with marking it stable right now as gnucash is working as expected, just tell me what you want me to do :P (but as this is "only" B3 i expect we have some time left for some testing efforts ..) Tobias a few days is ok since we still need amd64 and alpha. Just post again on this bug when you mark it stable. (In reply to comment #36) > Tobias a few days is ok since we still need amd64 and alpha. Just post again on > this bug when you mark it stable. > ppc stable alpha/amd64 stable... can't get ia64 due to bug #162010 not being fixed just yet Thanks everyone - security, please vote for GLSA. I vote no - it's a local issue, and I have a hard time seeing lots of people running gnucash on a shared machine (although situations like LTSP would exist). voting no as well. concur with no vote. updating status. ia64 doesn't want gnucash/g-wrap anymore. Feel free to remove the old version of gnucash/g-wrap. Vote no too and closing. Feel free to reopen if you disagree. |