Software: Pike 7.x Description: A vulnerability has been reported in Pike, which potentially can be exploited by malicious people to conduct SQL injection attacks. Some unspecified input isn't properly sanitised before being used in a SQL query in a PostgreSQL database. This may be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability has been reported in version 7.6.66. Prior versions may also be affected. Solution: Update to version 7.6.86. http://pike.ida.liu.se/download/ Provided and/or discovered by: Reported by the vendor.
No herd, no maintainer :((( no-herd@gentoo.org, please provide a new 7.6.86 ebuild
Vapier, you was the latest who made a bump on this package. Mind to bump again ?
security devs, please email gentoo-dev@ , there is no herd and no maintainer for dev-lang/pike
i'm working on it, just havent gotten the bugs ironed out yet
-dev mailed.
mike any news on this one?
I just updated the version of pike to 7.6.86, so this bug shouldn't be there, also revbump 7.6.50 to fix bug #116795 (also fixed in latest version). I also added myself as the maintainer of this package, and tweaked the configuration so now it needs gmp/nettle (crashes without them) , so let me know if any problem. Closing bug....
@Luis since this is only fixed in 7.6.86 is this version ready for stable marking?
Yes Sune , i think this version should be marked stable.
Thx Luis. Arches please test and mark 7.6.86 stable.
1) emerges fine 2) does not pass test suite Doing tests in tlib/modules/testsuite (324 tests) test 319, line 807 [WATCHDOG] Pike testsuite timeout, sending SIGABRT. Failed to parse subresult for testsuite "tlib/modules/testsuite" (exitcode:-1): 3) passes collision test 4) QA Notice: the following files contain executable stacks Files with executable stacks will not work properly (or at all!) on some architectures/operating systems. A bug should be filed at http://bugs.gentoo.org/ to make sure the file is fixed. For more information, see http://hardened.gentoo.org/gnu-stack.xml Please include this file in your report: /var/tmp/portage/pike-7.6.86/temp/scanelf-execstack.log "RWX --- --- usr/lib/pike/modules/Image.so" Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-gentoo-r12 i686) ================================================================= System uname: 2.6.16-gentoo-r12 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.6.15 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O0" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O0" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa apache2 arts artworkextra asf audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal howl icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k kde ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nowebdav nptl nptlonly nsplugin nvidia ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 91204 [details] scanelf-execstack.log of Christian Faulhammer
Can you please describe what steps are you taking to emerge the package? , i don't find to reproduce this bug. I am using amd64 , anyone else with a x86 box who could test this?
emerge pike on my system wants gmp pdflib and nettle additionally to pike itself. I have FEATURES="test", without test it runs through fine...I also used the ebuild utility to perform all steps separately. Failed a different test on a different run: Doing tests in tlib/modules/testsuite (324 tests) test 317, line 739 [WATCHDOG] Pike testsuite timeout, sending SIGABRT. Some pike source code runs fine though...
With FEATURES="test" works fine for me on x86 with following USE flags, I'll mark stable shortly. dev-lang/pike-7.6.86 USE="gdbm gif gtk jpeg mime opengl pcre pdf sdl ssl svg tiff truetype zlib -bzip2 -debug -doc -fftw -hardened -kerberos -mmx -mysql -scanner"
Stable on x86.
(In reply to comment #14) > emerge pike on my system wants gmp pdflib and nettle additionally to pike > itself. I have FEATURES="test", without test it runs through fine...I also > used the ebuild utility to perform all steps separately. > Yes, one of the main changes of this new ebuild version is precisely that gmp/nettle are mandatory deps, and pdflib required with doc. > Failed a different test on a different run: > Doing tests in tlib/modules/testsuite (324 tests) > test 317, line 739 > [WATCHDOG] Pike testsuite timeout, sending SIGABRT. > > > Some pike source code runs fine though... > I can run all my pike scripts fine, and i still don't get to reproduce this bug, anyone from the amd64 team who could give it a try please?
(In reply to comment #16) > Stable on x86. > Thanks Paul
Breaks for me on ppc: Making install in build/linux-2.6.17-ppc make[2]: Entering directory `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc' /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/_Image.pmod/module.pmod:63:Index 'RENDER' not present in module 'GIF'. /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/GTKSupport.pmod/Util.pmod:13:Index '_decode' not present in module 'Image'. /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/GTKSupport.pmod/Util.pmod:21:Index '_load' not present in module 'Image'. /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/bin/install.pike:954:Error looking up 'Util' in module 'GTK'. Pike: Failed to compile script: Compilation failed. master.pike:2656: master()->_main(({"/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc/pike","-DNOT_INSTALLED","-DPRECO MPILED_SEARCH_MORE",,,14}),({"PVR=7.6.86","STARTDIR=/root",,,172})) make[2]: *** [install] Error 10 make[2]: Leaving directory `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc' make[1]: *** [compile] Error 2 make[1]: Leaving directory `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86' make: *** [install_nodoc] Error 2 !!! ERROR: dev-lang/pike-7.6.86 failed. Call stack: ebuild.sh, line 1539: Called dyn_install ebuild.sh, line 1013: Called src_install pike-7.6.86.ebuild, line 93: Called die [ebuild N ] dev-lang/pike-7.6.86 USE="gtk ssl tiff -bzip2 -debug -doc -fftw -gdbm -gif -hardened -jpeg -kerberos -mime -mysql -opengl -pcre -pdf -scanner -sdl -svg -truetype -zlib" 0 kB
(In reply to comment #16) > Stable on x86. > There existed some sandbox violation problems with this ebuild. I couldn't reproduce it until a few days ago, and now i fixed it in the new revision of the ebuild, please test again and mark stable if possible. Also, play with the several different use flags combinations, i also fixed a 'doc' useflag problem in this new ebuild, so test hard with this flag enabled. Thanks.
(In reply to comment #19) > Breaks for me on ppc: > > Making install in build/linux-2.6.17-ppc > make[2]: Entering directory > `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc' > /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/_Image.pmod/module.pmod:63:Index > 'RENDER' not present in module 'GIF'. > /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/GTKSupport.pmod/Util.pmod:13:Index > '_decode' not present in module 'Image'. > /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/GTKSupport.pmod/Util.pmod:21:Index > '_load' not present in module 'Image'. > /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/bin/install.pike:954:Error > looking up 'Util' in module 'GTK'. > Pike: Failed to compile script: > Compilation failed. > > master.pike:2656: > > master()->_main(({"/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc/pike","-DNOT_INSTALLED","-DPRECO > MPILED_SEARCH_MORE",,,14}),({"PVR=7.6.86","STARTDIR=/root",,,172})) > make[2]: *** [install] Error 10 > make[2]: Leaving directory > `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc' > make[1]: *** [compile] Error 2 > make[1]: Leaving directory `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86' > make: *** [install_nodoc] Error 2 > > !!! ERROR: dev-lang/pike-7.6.86 failed. > Call stack: > ebuild.sh, line 1539: Called dyn_install > ebuild.sh, line 1013: Called src_install > pike-7.6.86.ebuild, line 93: Called die > > > [ebuild N ] dev-lang/pike-7.6.86 USE="gtk ssl tiff -bzip2 -debug -doc > -fftw -gdbm -gif -hardened -jpeg -kerberos -mime -mysql -opengl -pcre -pdf > -scanner -sdl -svg -truetype -zlib" 0 kB > Thanks Tobias, This was a gtk dependency problem, i already fixed in the latest revision. Please test again. note: do as many useflags combinations as you can.
it failed here on amd64 with a strange 'gcc: gdb: No such file or directory' error, but the latest stable fails exactly the same way. Somebody else from the amd64 team please give it a try. make[5]: Entering directory `/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/build/linux-2.6.15-gentoo-r5-x86_64/post_modules/GL' Compiling /var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/src/post_modules/GL/top.c gcc: gdb: No such file or directory WARNING: Compiler failure! Trying without optimization! /var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/build/linux-2.6.15-gentoo-r5-x86_64/pike -DNOT_INSTALLED -DPRECOMPILED_SEARCH_MORE -m/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/build/linux-2.6.15-gentoo-r5-x86_64/master.pike /var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/src/post_modules/GL/gen.pike < /var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/src/post_modules/GL/auto.c.in > auto.c Compiling auto.c gcc: gdb: No such file or directory WARNING: Compiler failure! Trying without optimization! Linking GL /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.5/../../../../x86_64-pc-linux-gnu/bin/ld: top.o: relocation R_X86_64_32 against `msg_out_of_mem_2' can not be used when making a shared object; recompile with -fPIC top.o: could not read symbols: Bad value collect2: ld returned 1 exit status Linking failed: /var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/bin/smartlink gcc -shared -o module.so top.o auto.o -R/usr/local/lib -L/usr/local/lib -R/usr/local/lib32 -L/usr/local/lib32 -R/usr/local/lib64 -L/usr/local/lib64 -R/usr/X11R6/lib -L/usr/X11R6/lib -R/usr/X11R6/lib32 -L/usr/X11R6/lib32 -R/usr/X11R6/lib64 -L/usr/X11R6/lib64 -lGL -lXext -lX11 -ldl -lrt -lnsl -lm -lpthread -lcrypt /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.5/libgcc.a -lc /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.5/libgcc.a make[5]: *** [module.so] Error 1 my USE flaggery: [ebuild N ] dev-lang/pike-7.6.86-r1 USE="debug gtk jpeg opengl pcre sdl ssl svg tiff truetype zlib -bzip2 -doc -fftw -gdbm -hardened -kerberos -mime -mysql -pdf -scanner" 0 kB also, readding x86 as their keyword got lost
pike 7.6.86-r1 1) emerges fine, but textrel (see above) still remains 2) still fails on test 317 of tlib/modules/testsuite (see above), but scripts run perfectly 3) passes collision test
x86 is outta here. ^.^
Pike fails to pass its testsuite here. Doing tests in tlib/modules/Calendar.pmod/testsuite (416 tests) /var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/lib/modules/Calendar.pmod/test suite.in:49: Test 30 (shift 0) failed. 1: mixed a() { return Calendar.parse("%Y-%M-%D %h:%m","2040-11-08 2:46"); } 2: mixed b() { return Calendar.Minute(2040,11,8,2,46) ; } 3: Error: Time is out of range for Timezone.localtime() FEATURES="test" USE="test tiff bzip2 fftw kerberos mime mysql pdf scanner" emerge pike Portage 2.1-r1 (default-linux/ppc/ppc32/2006.1/G4, gcc-4.1.1, glibc-2.4-r3, 2.6. 17.4 ppc) ================================================================= System uname: 2.6.17.4 ppc 7447A, altivec supported Gentoo Base System version 1.6.15 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r4 ACCEPT_KEYWORDS="ppc" AUTOCLEAN="yes" CBUILD="powerpc-unknown-linux-gnu" CFLAGS="-O2 -mcpu=G4 -mtune=G4 -maltivec -mabi=altivec -fno-strict-aliasing -pipe" CHOST="powerpc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-O2 -mcpu=G4 -mtune=G4 -maltivec -mabi=altivec -fno-strict-aliasing -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig confcache distlocks metadata-transfer parallel-fetch sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://pandemonium.tiscali.de/pub/gentoo/ http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/" PKGDIR="/usr/portage/packages" SYNC="rsync://192.168.1.33/gentoo-portage" USE="X alsa altivec apache2 arts berkdb bitmap-fonts bonobo cairo cdr cli crypt cups divx4linux dlloader dri dvd dvdread eds emboss encode esd flac fortran gdbm gif glitz gnome gpm gstreamer gtk gtkhtml ipv6 isdnlog jpeg kde kdeenablefinal ldap libg++ libwww mad mikmod mozilla mp3 mpeg ncurses network nls nptl nptlonly ogg opengl pam pcre pdflib perl png ppc pppd python qt qt3 quicktime readline reflection ruby sdl session spell spl ssl svg tcpd theora truetype truetype-fonts type1-fonts udev unicode userlocales vorbis xine xml xorg xv xvid zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Uhm, actually it is a bit worse, 9 tests fail. Failed tests: 9. Total tests: 150999 (63 tests skipped) Finished tests at Fri Jul 28 21:26:30 2006 make[2]: *** [verify] Error 9 make[2]: Leaving directory `/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/build/linux-2.6.17.4-ppc' make[1]: *** [compile] Error 2 make[1]: Leaving directory `/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86' make: *** [verify] Error 2 Sorry for the bugspam
b33fc0d3 verified it builds, it just fails regarding multilib-strict on amd64, but as the latest stable does so too and it is only cosmetic, i marked it stable anyway, so... amd64 done
That's fine. Thanks Simon.
ppc stable
weak yes here
Another weak yes.
> Another weak yes. same
OK, let's have one.
GLSA 200608-10