Summary: | dev-libs/openssl: Insecure tmpfile use | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Thierry Carrez (RETIRED) <koon> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | aliz, crypto+disabled | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136302 | ||||||
Whiteboard: | B3 [glsa] koon | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Thierry Carrez (RETIRED)
2004-10-21 07:59:41 UTC
Created attachment 42317 [details, diff]
Patch from RedHat bug
Patch from RedHat
Our /etc/ssl/misc/der_chop is affected. Its use looks deprecated. It should be patched or removed. This is no-herd and aliz doesn't seem active ATM. Looks like we'll have to fix this one ourselves. If it's really deprecated (like they say on the RedHat bug), then it should probably be removed rather than fixed. Crypto herd : there is no sign from Aliz. I know openssl is technically no-herd, but I thought you could help. The idea is to patch or remove the der_chop script. Thanks is advance :) Given patch applies cleanly to 0.9.7d-r1 Thx to dragonheart for the patch. Arches please test and mark 0.9.7d-r2 stable >>> md5 src_uri ;-) openssl-0.9.7d.tar.gz
>>> md5 src_uri ;-) openssl-0.9.6m.tar.gz
>>> Unpacking source...
>>> Unpacking openssl-0.9.7d.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
>>> Unpacking openssl-0.9.6m.tar.gz to /var/tmp/portage/openssl-0.9.7d-r2/work
* Applying openssl-0.9.7c-tempfile.patch ... [ ok ] * Applying openssl-0.9.7d-gentoo.diff ... [ ok ] * Applying openssl-0.9.7d-smime.patch ... [ ok ]sed: -e expression #1, char 88: Unknown option to `s'
!!! ERROR: dev-libs/openssl-0.9.7d-r2 failed.
!!! Function src_unpack, Line 98, Exitcode 1
!!! sed failed
!!! If you need support, post the topmost build error, NOT this status message.
works for me (ebuild/patch and ssl itself). stable on ppc64. Markus Stable on amd64 Stable on alpha. sparc'd Security, please vote on GLSA need. I /think/ this doesn't warrant a GLSA (der_chop being quite deprecated), but we issued other GLSAs for Netatalk's etc2ps.sh and krb5's send-pr.sh... Maybe a grouped GLSA with the davfs and groff ones ? I vote for a grouped GLSA. Waiting for davfs mips stable. davfs will take too much time, issuing GLSA with only openssl and groff GLSA 200411-15 arm hppa ia64 s390 : please mark stable to benefit from GLSA |