The groffer script in the Groff package 1.18 and later versions, as
used in Trustix Secure Linux 1.5 through 2.1, and possibly other
operating systems, allows local users to overwrite files via a symlink
attack on temporary files.
Patch on RedHat bug doesn't apply to our groffer either... but it looks vulnerable nevertheless. Maybe we should wait for RedHat to patch and see if it applies ?
The 1.19 patch posted on the RedHat bug (see URL) should apply to 1.19-r1. Then we could push 1.19 to stable on all arches. It's probably simpler than backporting the fix for 1.18.
base-system/vapier: please have a look :)
umm, we dont have 1.19-r1
we have 1.19.1-r1 ... and dont lie to me, but that patch doesnt even come CLOSE to applying cleanly to 1.19.1-r1 ;)
i just moved 1.19.1-r1 to stable for unrelated reasons, and many other arches already have it as stable ... current KEYWORDS:
KEYWORDS="alpha amd64 arm hppa ia64 ~mips ~ppc ~ppc64 s390 ~sparc x86"
figure out what you wanna do :)
heh, blame Mark Cox :)
Debian bug report with backported patch
Created attachment 43158 [details, diff]
Patch from Debian
Patch from Debian bug.
Applies correctly :
patching file contrib/groffer/groffer.sh
Hunk #1 succeeded at 3217 (offset -11 lines).
i assume that's for groff-1.18.1 ...
why should we bother ? groff-1.19.1 looks like this now:
groff-1.19.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ~ppc ~ppc64 s390 sparc x86"
No, the patch applies to 1.19.1-r1
AFAICT 1.19.1-r1 is still vulnerable, that's why we should care.
groff-1.19.1-r2 now in cvs with aforementioned patch
Arches please test and mark stable.
Note that the only difference with 1.19.1-r1 (for those arches having that version stable) is the tempfile handling in the groffer utility.
Stable on alpha.
Please apply this fix to 1.18 too. multibyte patch for 1.19 is not yet released.
groff-1.19.1-r2 is now tested and marked stable on ppc64.
stable on amd64
if someone posts a patch that'll apply cleanly to 1.18.1-r4 i'll add a 1.18.1-r5
moved arm/hppa/ia64/s390/x86 to stable with 1.19.1-r2
Stable on mips.
ppc64 is stable... ppc64: please remove yourself from Cc when you mark stable.
Security, please vote on GLSA need. Maybe a grouped GLSA with the davfs and openssl ones ?
Created attachment 43389 [details]
groff-220.127.116.11.ebuild with updated Debian patch.
I vote for a grouped GLSA on this one as well.
waiting on davfs2 x86 stable
davfs will take too much time, issuing GLSA with only openssl and groff