Summary: | media-video/xine-ui: Symlink/tmpfile bug in xine-check and xine-bugreport | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Weisserth <tobias> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | alpeterson, condordes, egore, federicobusoli, flameeyes, ian.truelsen, jrmalaq, m.debruijne, mcoulman, media-video, schaedpq, stevee |
Priority: | Highest | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://nettwerked.mg2.org/advisories/xinebug | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 48107, 48108 | ||
Bug Blocks: | |||
Attachments: | add symlink checks to xine-check (& xine-bugreport) |
Description
Tobias Weisserth
2004-03-22 15:59:59 UTC
I can confirm this with xine-ui 0.9.23, but for some reason I can't get to the Xine website to see if an updated version has been released. Mhmm, I just looked at the xine website. The latest version is 1-rc3b, therefore there is apparently no fixed version available. There is now an entry in bugtraqs vulnerability db: http://www.securityfocus.com/bid/9939/info/ Except a list of vulnerable versions it doesn't seem to contain anything new. I'm going to sleep now.. hopefully by the time I wake up one of you will have attached a patch (hint, hint) No patch I see.. Ok how about this.. I assume this is a shell script.. with some blatant reference to /tmp.. If this is the case (shell script) could somebody please upload it so that a patch may be created. ------------------------------------------------------------------ BTW: In the future please don't open a bug with the status of GLSA. The product goes to GLSA after the bug is done being worked on in the portage system. Thanks. Created attachment 28126 [details, diff]
add symlink checks to xine-check (& xine-bugreport)
This should stop xine-check/xine-bugreport blindly writing into symlinks for
the logfile, tmpfile or bugreport.
Reassigning correct Product/component as the bug has not been worked out yet. -K media-video herd -- can you review/comment and apply the patch if appropriate? Working on it... looks like I'm the only cowboy for this herd right now. Not a good state, if you have a look at the bug list :-( Ok, all versions in CVS now are patched. Go ahead. Patrick: Your commit doesn't show up on CVSweb : http://www.gentoo.org/cgi-bin/viewcvs.cgi/media-video/xine-ui/?hideattic=1#dirlist Or do I have sync problems, or am I looking in the wrong package ? Thanks for your work, media-video is a large herd to watch all alone :) -K OK I'm out of sync :) Ready for a GLSA : x86 should upgrade to xine-ui-0.9.21-r1 ppc should upgrade to xine-ui-0.9.13-r1 um .. build for xine-ui-0.9.23-r1 crashes and burns on the introduction of the patch. emerge fragment... make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc/desktops' Making all in visuals make[3]: Entering directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc/visuals' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc/visuals' make[3]: Entering directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc' test `cd .; pwd` = `pwd` || cp ./xine-check.sh.in . perl ./build-xine-check.pl ./xine-check.en chmod a+x xine-check ln -s xine-check xine-bugreport ln: `xine-bugreport': File exists make[3]: *** [xine-bugreport] Error 1 make[3]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23' make: *** [all] Error 2 !!! ERROR: media-video/xine-ui-0.9.23-r1 failed. !!! Function src_compile, Line 43, Exitcode 2 !!! (no error message) attempt to symlink finds a real file already there .. previous version (without -r1) installed fine *** Bug 47737 has been marked as a duplicate of this bug. *** sorry guys, there's something work with this patch. Hmm... going back to wait_for_ebuild phosphan: your opinion on the problem ? Someone with powers should remove the offending ebuild ? i've also created a bug upstream http://sourceforge.net/tracker/index.php?func=detail&aid=934417&group_id=9655&atid=109655 A minor subtlety .. my previous xine-ui-0.9.23.ebuild with the true-false patch added installed fine.. Apparently some changes had occurred since I last installed (had to use the ebuild copy out of /var/db in order to test). So some thing in the symlink patch is causing the file xine-bugreport to exist too soon perhaps? It is created seemingly before xine-check according to the time stamps .. i've just commited a fix. please test and report *** Bug 47749 has been marked as a duplicate of this bug. *** nope at this time it still does the same thing (ebuild time stamp 12:37 now instead of 6:33).. perhaps using a "ln -sf" would work but I don't know how to add that.. nothing seems to have changed (except a few quotes removed).. comparing the ebuilds .. perhaps it has not yet hit the mirrors?? emerge -pu world broke on xine-ui install. Come on guys, get it together. This shouldn't be happening on the stable branch. Just so I don't sound like a total ass: Gentoo is great, and so are the people who help make it happen. Except for the odd time. :o). *** Bug 47748 has been marked as a duplicate of this bug. *** it compiles here on both of my dev boxes okay I can make it compile and install using the ebuild commands .. provided I clobber xine-bugreport .. ""after unpack" or rather after a failed emerge" and before compile, install and qmerge.. okay add the line rm misc/xine-bugreport as the first line inside the Braces of the src_compile routine in the ebuild and it all works .. The src_compile alteration cured the problem for me. *** Bug 47794 has been marked as a duplicate of this bug. *** ack! what a pain this was... the misc/xine-bugreport is a symlink created by the makefile. This file should not have appeared in the .22 tarball. The symlink-patch tried patching both these original files. So, on .23 which properly did NOT have the -bugreport file, the patch added it before the build. So the same problem reappeared. It was a moving target. Fixing one broke the other. Both versions listed below should work, and should have this security patch properly applied. 0.9.22-r2 (x86) and 0.9.23-r1 (~x86) um .. the line rm misc/xine-bugreport is still needed for xine-ui-0.9.23-r1 to build completely .. something about the patching process is still creating a real xine-bugreport file before the symlinking happens so it chokes if the file is not clobbered.. derk please clean your PORTAGE_TMPDIR="/var/tmp" and try again sorry still chokes after that. note I also tried removing the actual patching of xine-bugreport from the patch file also trying to apply the patch to only xine-check or xine-check.sh.in but any patching still results in the creation of xine-bugreport in some fashion probably by the makefile config processes. Probably any kind of date stamp alteration (atime, mtime) is setting it off. *** Bug 47811 has been marked as a duplicate of this bug. *** xine-ui-0.9.23-r1.ebuild,v 1.3 cvs header fixes all issues time to send out GLSA Had this problem on two seperate computers. Both fixed by using the suggestion here: http://bugs.gentoo.org/show_bug.cgi?id=45448#c25 *** Bug 47841 has been marked as a duplicate of this bug. *** Sorry for causing so much trouble, should've checked the side effects more thoroughly. Two new vulnerabilities in xine-ui (#48108) and xine-lib (#48107) have just been submitted. A global GLSA will be published when all xine-* vulns will be fixed. xine-ui-0.9.23-r2 includes the patch from #48108. GLSA 200404-20. |