[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2003.034-imagemagick.t...

Thu, 10 Jul 2003 07:52:12 -0700 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   10-Jul-2003 16:53:26
  Branch: HEAD                             Handle: 2003071015532600

  Modified files:
    openpkg-web/security    OpenPKG-SA-2003.034-imagemagick.txt page.pl

  Log:
    finish imagemagick SA

  Summary:
    Revision    Changes     Path
    1.2         +20 -21     openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt
    1.19        +1  -1      openpkg-web/security/page.pl
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt
  ============================================================================
  $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.034-imagemagick.txt
  --- openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt  10 Jul 2003 14:22:49 
-0000      1.1
  +++ openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt  10 Jul 2003 14:53:26 
-0000      1.2
  @@ -1,3 +1,6 @@
  +-----BEGIN PGP SIGNED MESSAGE-----
  +Hash: SHA1
  +
   ________________________________________________________________________
   
   OpenPKG Security Advisory                            The OpenPKG Project
  @@ -15,31 +18,23 @@
   OpenPKG 1.2          <= imagemagick-5.5.3.2-1.2.0    >= imagemagick-5.5.3.2-1.2.1
   OpenPKG 1.1          <= imagemagick-5.4.8.2-1.1.0    >= imagemagick-5.4.8.2-1.1.1
   
  -Affected Releases:   Dependent Packages:
  -OpenPKG CURRENT      bar quux
  -OpenPKG 1.2          bar quux
  -OpenPKG 1.1          bar 
  -
  -FIXME candidates
  -    autotrace-0.31.1-20030707
  -    tex4ht-20030119-20030707
  -    wv-0.7.6-20030707
  +Dependent Packages:  none
   
   Description:
  -  According to a Debian security advisory [0] imagemagick's libmagick
  -  [1] library, under certain circumstances, creates temporary files
  -  without taking appropriate security precautions. This vulnerability
  -  could be exploited by a local user to create or overwrite files with
  -  the privileges of another user who is invoking a program using this
  -  library. Research has shown that all versions of imagemagick before
  -  5.5.7.0 are affected. The Common Vulnerabilities and Exposures (CVE)
  +  According to a Debian security advisory [0] ImageMagick's [1]
  +  libmagick library, under certain circumstances, creates temporary
  +  files without taking appropriate security precautions. This
  +  vulnerability could be exploited by a local user to create or
  +  overwrite files with the privileges of another user who is invoking a
  +  program using this library. Research has shown that all versions of
  +  ImageMagick before 5.5.7.0 are affected on the officially supported
  +  OpenPKG platforms. The Common Vulnerabilities and Exposures (CVE)
     project assigned the id CAN-2003-0455 [2] to the problem.
   
     Please check whether you are affected by running "<prefix>/bin/rpm -q
     imagemagick". If you have the "imagemagick" package installed and its
     version is affected (see above), we recommend that you immediately
  -  upgrade it (see Solution) and it's dependent packages (see above), if
  -  any, too. [3][4]
  +  upgrade it (see Solution). [3][4]
   
   Solution:
     Select the updated source RPM appropriate for your OpenPKG release
  @@ -59,9 +54,6 @@
     $ <prefix>/bin/rpm --rebuild imagemagick-5.5.3.2-1.2.1.src.rpm
     $ su -
     # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/imagemagick-5.5.3.2-1.2.1.*.rpm
  -
  -  Additionally, we recommend that you rebuild and reinstall
  -  all dependent packages (see above), if any, too. [3][4]
   ________________________________________________________________________
   
   References:
  @@ -84,3 +76,10 @@
   for details on how to verify the integrity of this advisory.
   ________________________________________________________________________
   
  +-----BEGIN PGP SIGNATURE-----
  +Comment: OpenPKG <[EMAIL PROTECTED]>
  +
  +iD8DBQE/DX14gHWT4GPEy58RAlUoAJ4kSBB5Lm7pfM+n8xcjhPclOh7EYQCg4uAR
  +zkHx7KjUZ5Uajob90z+PAIE=
  +=xh5h
  +-----END PGP SIGNATURE-----
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/security/page.pl
  ============================================================================
  $ cvs diff -u -r1.18 -r1.19 page.pl
  --- openpkg-web/security/page.pl      7 Jul 2003 14:26:31 -0000       1.18
  +++ openpkg-web/security/page.pl      10 Jul 2003 14:53:26 -0000      1.19
  @@ -13,7 +13,7 @@
   foreach my $sa (reverse sort @SA) {
       my ($base, $name, $year) = ($sa =~ m|^(OpenPKG-SA-((\d+)\..+))\.txt$|);
       next if ($name =~ m|^0000|);
  -    next if ($name =~ m|^2003\.03[3-9]|);
  +    next if ($name =~ m|^2003\.04[4-9]|);
       if ($this_year ne $year) {
           $sidebar .= "<br>\n";
           $this_year = $year;
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to