Summary: | app-admin/analog <6.0-r2 has an internal copy of bzip2-1.0.2 | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Diego Elio Pettenò (RETIRED) <flameeyes> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ashutiwary, esigra, fmccor, jer |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 251464 |
Description
Diego Elio Pettenò (RETIRED)
2008-11-28 03:21:59 UTC
This could be vulnerable to GLSA 200804-02. I fixed that in app-admin/analog-6.0-r{2,3}. Only -r2 should go stable because the -r3 is EAPI=2. it was shipping 1.0.2, 30-Dec-2001 I was thinking of a scenario where log file input to analog is not trusted, but I noticed the /var/log/apache2 directory is writable for the apache user. So an attacker could place a CGI script and have the web server execute it, writing a crafted log file there. Other ideas? Arches, please test and mark stable: =app-admin/analog-6.0-r2 Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86" On sparc: 1) It does use -lbz2, but it also seems to use its internal version; 2) More seriously, it does not build at all: ======================== make[1]: Leaving directory `/var/tmp/portage/app-admin/analog-6.0-r2/work/analog-6.0/src/zlib' sparc-unknown-linux-gnu-gcc -O2 -mcpu=ultrasparc3 -pipe -o ../analog alias.o analog.o cache.o dates.o globals.o hash.o init.o init2.o input.o macinput.o macstuff.o output.o output2.o outcro.o outhtml.o outlatex.o outplain.o outxhtml.o outxml.o process.o settings.o sort.o tree.o utils.o win32.o libgd/gd.o libgd/gd_io.o libgd/gd_io_file.o libgd/gd_png.o libgd/gdfontf.o libgd/gdfonts.o libgd/gdtables.o libpng/png.o libpng/pngerror.o libpng/pngmem.o libpng/pngset.o libpng/pngtrans.o libpng/pngwio.o libpng/pngwrite.o libpng/pngwtran.o libpng/pngwutil.o pcre/pcre.o zlib/adler32.o zlib/compress.o zlib/crc32.o zlib/deflate.o zlib/gzio.o zlib/infblock.o zlib/infcodes.o zlib/inffast.o zlib/inflate.o zlib/inftrees.o zlib/infutil.o zlib/trees.o zlib/uncompr.o zlib/zutil.o unzip/ioapi.o unzip/unzip.o bzip2/bzlib.o bzip2/blocksort.o bzip2/compress.o bzip2/crctable.o bzip2/decompress.o bzip2/huffman.o bzip2/randtable.o -lgd -lz -lbz2 -lpcre -lm -lpng -ljpeg >>> Source compiled. >>> Test phase [none]: app-admin/analog-6.0-r2 >>> Install analog-6.0-r2 into /var/tmp/portage/app-admin/analog-6.0-r2/image/ category app-admin !!! dobin: analog does not exist * * ERROR: app-admin/analog-6.0-r2 failed. * Call stack: * ebuild.sh, line 49: Called src_install * environment, line 2140: Called die * The specific snippet of code: * dobin analog || die "dobin failed"; * The die message: * dobin failed ============================ As a cross-check, I note that on amd64 I see the identical failure. ppc64 same too.... it's looking for the 'analog' executable in the src/ dir but it is actually one dir up in my case. un-cc'ing arches then. Oh darn. I seem to have believed the Makefile comments. I should patch those too, I guess. :) I am changing the Makefile patch to not build or link to the bzip2/ objects. I fixed the patch and the ebuilds. OMG, is another revbump in order now? Arches, please test and mark stable: =app-admin/analog-6.0-r2 Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86" Now good on sparc. Sparc stable. Stable for HPPA. ppc64 done amd64/x86 stable ppc stable Stable on alpha. GLSA request filed. GLSA 200903-40 |