Summary: | app-arch/hardlink-fedora: nambuf1 and nambuf2 buffer overflows (CVE-2011-{3630,3631,3632}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Harrison <n0idx80> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | trivial | CC: | robbat2, ssuominen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/hardlink/ | ||
Whiteboard: | ~3 [ebuild] | ||
Package list: | Runtime testing required: | --- |
Description
Michael Harrison
2011-10-16 06:15:41 UTC
CVE-2011-3630 hardlink buffer overflows https://bugzilla.redhat.com/show_bug.cgi?id=746709 CVE-2011-3631 hardlink integer overflows https://bugzilla.redhat.com/show_bug.cgi?id=746710 CVE-2011-3632 hardlink symlink attacks https://bugzilla.redhat.com/show_bug.cgi?id=746713 See hardlink.c here: http://pkgs.fedoraproject.org/gitweb/?p=hardlink.git;a=tree Which is completely different program than hardlink from here: http://jak-linux.org/projects/hardlink/ Plus the hardlink in openwall seems to be a third variant but also not same. Anyway, the version 0.2.0 hardlink from jak-linux site is now in Portage as app-arch/hardlink and I doubt this security bug has *anything* to do with it at all I suggest to close "INVALID". Agreed? The git for the app-arch/hardlink in tree seems to be here, http://anonscm.debian.org/gitweb/?p=users/jak/hardlink.git;a=summary This at least mentions closing of CVE-2011-3632 http://anonscm.debian.org/gitweb/?p=users/jak/hardlink.git;a=commit;h=fc4da208525366aba289c7a150eb8a7d304d2238 And after that a commit like, "Rewrite hardlink in C": http://anonscm.debian.org/gitweb/?p=users/jak/hardlink.git;a=commit;h=bc0a8d544e3866a6ba62ea5f1bf7b8da6e616c11 And a 0.2.0 release few commits after that... Since this was never stable, I guess this could be closed as "FIXED" too Please, ignore my last comments entirely. I've done a bit more research and got it right now: ' The app-arch/hardlink-0.1.1 we had was Python, and the app-arch/hardlink-0.2.0 is C. Neither of these were the hardlink this bug was filed about. So this would make this bug INVALID. But today, I've committed app-arch/hardlink-fedora to Portage which actually is the same hardlink we are talking about in this bug, so adjusting $summary now. And I've checked that the fixes for these security bugs, close(fd)'s, are included in the upstream app-arch/hardlink-fedora source already. So we have no issues with any of the hardlink's in Portage currently. |