OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 15:37:17 Branch: HEAD Handle: 2005061014371700 Added files: openpkg-web/security OpenPKG-SA-2005.010-openpkg.txt Log: for improved clarity, document the problems from OpenPKG-SA-2005.008-bzip2 and OpenPKG-SA-2005.009-gzip in a new OpenPKG-SA-2005.010-openpkg with scope narrowed to only regard the OpenPKG bootstrap package "openpkg" Summary: Revision Changes Path 1.1 +101 -0 openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt ============================================================================ $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.010-openpkg.txt --- /dev/null 2005-06-10 15:37:03 +0200 +++ OpenPKG-SA-2005.010-openpkg.txt 2005-06-10 15:37:17 +0200 @@ -0,0 +1,101 @@ +________________________________________________________________________ + +OpenPKG Security Advisory The OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.010 10-June-2005 +________________________________________________________________________ + +Package: openpkg +Vulnerability: arbitrary file mode modification, + arbitrary path writing, + denial of service +OpenPKG Specific: no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= openpkg-20050609-20050609 >= openpkg-20050610-20050610 +OpenPKG 2.3 <= openpkg-2.2.2-2.2.2 >= openpkg-2.2.3-2.2.3 +OpenPKG 2.2 <= openpkg-2.3.1-2.3.1 >= openpkg-2.3.2-2.3.2 + +Dependent Packages: none + +Description: + The vulnerabilities described by this text affect the openpkg + bootstrap package's gzip and bzip2 embedded software. Similar + advisories [0][1] describe the same vulnerabilities, although + in context of the particular vendor software. + + According to a Debian bug report [2], Ulf Harnhammar discovered + an input validation error in the gzip data compressor [3]. Because + gzip(1) fails to properly validate file paths during decompression + with the "-N" argument, a remote attacker using a malicious archive + could corrupt arbitrary files with the privileges of the user that + is running gzip(1). The Common Vulnerabilities and Exposures (CVE) + project assigned the identifier CAN-2005-1228 [4] to this problem. + + According to a BugTraq posting [5], Imran Ghory discovered a time of + check time of use (TOCTOU) file mode vulnerability in the bzip2 data + compressor [6]. Because bzip2(1) does not safely restore the mode of + a file undergoing compression or decompression, a malicious user can + potentially change the mode of any file belonging to the user running + bzip2(1). The Common Vulnerabilities and Exposures (CVE) project + assigned the identifier CAN-2005-0953 [7] to this problem. + + In a unrelated bzip2 problem, a denial of service vulnerability + was found in both the bzip2(1) program and its associated library + libbz2(3). Specially crafted bzip2 archives lead to an infinite loop + in the decompressor which results in an indefinitively large output + file. This could be exploited to cause disk space exhaustion. The + Common Vulnerabilities and Exposures (CVE) project assigned the + identifier CAN-2005-1260 [8] to this problem. + + Please check whether you are affected by running "<prefix>/bin/openpkg + rpm -q openpkg". If the openpkg package version is affected (see above), + we recommend that you immediately upgrade it (see Solution) [9][10]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [11][12], fetch it from the OpenPKG FTP service [13][14] or a mirror + location, verify its integrity [15], build a corresponding binary + RPM from it [9] and update your OpenPKG installation by applying the + binary RPM [10]. For the most recent release OpenPKG 2.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.3/UPD + ftp> get openpkg-2.3.2-2.3.2.src.rpm + ftp> bye + $ <prefix>/bin/openpkg rpm -v --checksig openpkg-2.3.2-2.3.2.src.rpm + $ <prefix>/bin/openpkg rpm --rebuild openpkg-2.3.2-2.3.2.src.rpm + $ su - + # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/openpkg-2.3.2-2.3.2.*.rpm +________________________________________________________________________ + +References: + [0] http://www.openpkg.org/security/OpenPKG-SA-2005.008-bzip2.html + [1] http://www.openpkg.org/security/OpenPKG-SA-2005.009-gzip.html + [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 + [3] http://www.gzip.org/ + [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 + [5] http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633 + [6] http://sources.redhat.com/bzip2/ + [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 + [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 + [9] http://www.openpkg.org/tutorial.html#regular-source + [10] http://www.openpkg.org/tutorial.html#regular-binary + [11] ftp://ftp.openpkg.org/release/2.3/UPD/openpkg-2.3.2-2.3.2.src.rpm + [12] ftp://ftp.openpkg.org/release/2.2/UPD/openpkg-2.2.3-2.2.3.src.rpm + [13] ftp://ftp.openpkg.org/release/2.3/UPD/ + [14] ftp://ftp.openpkg.org/release/2.2/UPD/ + [15] http://www.openpkg.org/security.html#signature +________________________________________________________________________ + +For security reasons, this advisory was digitally signed with the +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the +OpenPKG project which you can retrieve from http://pgp.openpkg.org and +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ +for details on how to verify the integrity of this advisory. +________________________________________________________________________ + @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org