Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249140 - app-admin/analog <6.0-r2 has an internal copy of bzip2-1.0.2
Summary: app-admin/analog <6.0-r2 has an internal copy of bzip2-1.0.2
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Blocks: bundled-libs
  Show dependency tree
Reported: 2008-11-28 03:21 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2020-04-10 11:35 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2008-11-28 03:21:59 UTC
It should define HAVE_BZLIB and use -lbz2 instead than its own version.
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-11-28 03:22:37 UTC
This could be vulnerable to GLSA 200804-02.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-15 06:51:55 UTC
I fixed that in app-admin/analog-6.0-r{2,3}. Only -r2 should go stable because the -r3 is EAPI=2.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-12-15 09:49:30 UTC
it was shipping 1.0.2, 30-Dec-2001
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-12-15 09:59:54 UTC
I was thinking of a scenario where log file input to analog is not trusted, but I noticed the /var/log/apache2 directory is writable for the apache user. So an attacker could place a CGI script and have the web server execute it, writing a crafted log file there. Other ideas?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-12-15 10:03:19 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2008-12-15 14:11:05 UTC
On sparc:
1) It does use -lbz2, but it also seems to use its internal version;
2) More seriously, it does not build at all:
make[1]: Leaving directory `/var/tmp/portage/app-admin/analog-6.0-r2/work/analog-6.0/src/zlib'
sparc-unknown-linux-gnu-gcc -O2 -mcpu=ultrasparc3 -pipe -o ../analog alias.o analog.o cache.o dates.o globals.o hash.o init.o init2.o input.o macinput.o macstuff.o output.o output2.o outcro.o outhtml.o outlatex.o outplain.o outxhtml.o outxml.o process.o settings.o sort.o tree.o utils.o win32.o libgd/gd.o  libgd/gd_io.o libgd/gd_io_file.o libgd/gd_png.o libgd/gdfontf.o libgd/gdfonts.o libgd/gdtables.o libpng/png.o libpng/pngerror.o libpng/pngmem.o libpng/pngset.o libpng/pngtrans.o libpng/pngwio.o libpng/pngwrite.o libpng/pngwtran.o libpng/pngwutil.o pcre/pcre.o zlib/adler32.o zlib/compress.o zlib/crc32.o zlib/deflate.o zlib/gzio.o zlib/infblock.o zlib/infcodes.o zlib/inffast.o zlib/inflate.o zlib/inftrees.o zlib/infutil.o zlib/trees.o zlib/uncompr.o zlib/zutil.o unzip/ioapi.o unzip/unzip.o bzip2/bzlib.o bzip2/blocksort.o bzip2/compress.o bzip2/crctable.o bzip2/decompress.o bzip2/huffman.o bzip2/randtable.o -lgd -lz -lbz2 -lpcre -lm -lpng -ljpeg
>>> Source compiled.
>>> Test phase [none]: app-admin/analog-6.0-r2

>>> Install analog-6.0-r2 into /var/tmp/portage/app-admin/analog-6.0-r2/image/ category app-admin
!!! dobin: analog does not exist
 * ERROR: app-admin/analog-6.0-r2 failed.
 * Call stack:
 *     , line   49:  Called src_install
 *             environment, line 2140:  Called die
 * The specific snippet of code:
 *       dobin analog || die "dobin failed";
 *  The die message:
 *   dobin failed
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-12-15 14:17:43 UTC
As a cross-check, I note that on amd64 I see the identical failure.
Comment 8 Brent Baude (RETIRED) gentoo-dev 2008-12-15 15:33:15 UTC
ppc64 same too.... it's looking for the 'analog' executable in the src/ dir but it is actually one dir up in my case.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-12-15 17:43:31 UTC
un-cc'ing arches then.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-15 21:59:30 UTC
Oh darn. I seem to have believed the Makefile comments. I should patch those too, I guess. :)

I am changing the Makefile patch to not build or link to the bzip2/ objects.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-15 22:10:20 UTC
I fixed the patch and the ebuilds. OMG, is another revbump in order now?
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-12-16 13:33:40 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
Comment 13 Ferris McCormick (RETIRED) gentoo-dev 2008-12-16 15:09:06 UTC
Now good on sparc.  Sparc stable.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-16 15:25:55 UTC
Stable for HPPA.
Comment 15 Brent Baude (RETIRED) gentoo-dev 2008-12-16 15:41:47 UTC
ppc64 done
Comment 16 Markus Meier gentoo-dev 2008-12-17 20:12:34 UTC
amd64/x86 stable
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-18 17:59:08 UTC
ppc stable
Comment 18 Tobias Klausmann (RETIRED) gentoo-dev 2008-12-20 15:25:10 UTC
Stable on alpha.
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-21 20:13:35 UTC
GLSA request filed.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-29 21:45:03 UTC
GLSA 200903-40