[CVS] OpenPKG: openpkg-src/ispell/ ispell.patch ispell.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Matthias Kurz Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 11-Jun-2005 08:03:56 Branch: HEAD Handle: 2005061107035400 Modified files: openpkg-src/ispell ispell.patch ispell.spec Log: fixing segfault caused by bad initialization Summary: RevisionChanges Path 1.3 +21 -8 openpkg-src/ispell/ispell.patch 1.47+1 -1 openpkg-src/ispell/ispell.spec patch -p0 <<'@@ .' Index: openpkg-src/ispell/ispell.patch $ cvs diff -u -r1.2 -r1.3 ispell.patch --- openpkg-src/ispell/ispell.patch 20 May 2004 20:25:37 - 1.2 +++ openpkg-src/ispell/ispell.patch 11 Jun 2005 06:03:54 - 1.3 @@ -1,6 +1,6 @@ config.X.origMon Jan 23 19:28:24 1995 -+++ config.X Sun Mar 18 13:11:18 2001 -@@ -107,9 +107,6 @@ +--- config.X 10 Jun 2005 18:16:04 - 1.1.1.1 config.X 10 Jun 2005 19:53:17 - +@@ -211,9 +211,6 @@ #include #include @@ -10,9 +10,22 @@ /* ** Things that normally go in a Makefile. Define these just like you ispell.c.orig2004-05-19 18:07:49.552575166 +0200 -+++ ispell.c 2004-05-19 18:08:46.017820502 +0200 -@@ -494,6 +494,11 @@ +--- exp_table.c 10 Jun 2005 18:16:05 - 1.1.1.1 exp_table.c 10 Jun 2005 19:54:09 - +@@ -36,8 +36,8 @@ + + e->size = 0; + e->max_size = 1; +-e->exps = malloc (e->size * sizeof (*e->exps)); +-e->flags = malloc (e->size * sizeof (*e->flags) * MASKSIZE); ++e->exps = malloc (e->max_size * sizeof (*e->exps)); ++e->flags = malloc (e->max_size * sizeof (*e->flags) * MASKSIZE); + e->orig_word = orig_word; + } + +--- ispell.c 10 Jun 2005 18:16:05 - 1.1.1.1 ispell.c 10 Jun 2005 19:53:17 - +@@ -507,6 +507,11 @@ #else /* MINIMENU */ (void) printf ("\t!MINIMENU\n"); #endif /* MINIMENU */ @@ -22,5 +35,5 @@ +(void) printf ("\t!NO8BIT\n"); +#endif /* NO8BIT */ (void) printf ("\tMINWORD = %d\n", MINWORD); - (void) printf ("\tMSDOS_BINARY_OPEN = 0x%x\n", - (unsigned int) MSDOS_BINARY_OPEN); + #ifdef MSDOS + (void) printf ("\tMSDOS\n"); @@ . patch -p0 <<'@@ .' Index: openpkg-src/ispell/ispell.spec $ cvs diff -u -r1.46 -r1.47 ispell.spec --- openpkg-src/ispell/ispell.spec4 May 2005 05:27:25 - 1.46 +++ openpkg-src/ispell/ispell.spec11 Jun 2005 06:03:54 - 1.47 @@ -37,7 +37,7 @@ Group:Text License: BSD Version: %{V_ispell} -Release: 20050504 +Release: 20050611 # list of sources Source0: http://fmg-www.cs.ucla.edu/geoff/tars/ispell-%{V_ispell}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.010-openpkg.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 22:46:09 Branch: HEAD Handle: 2005061021460900 Modified files: openpkg-web/securityOpenPKG-SA-2005.010-openpkg.txt Log: release OpenPKG Security Advisory 2005.010 (openpkg) Summary: RevisionChanges Path 1.3 +10 -0 openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2005.010-openpkg.txt --- openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt 10 Jun 2005 18:29:57 - 1.2 +++ openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt 10 Jun 2005 20:46:09 - 1.3 @@ -1,3 +1,6 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + OpenPKG Security AdvisoryThe OpenPKG Project @@ -100,3 +103,10 @@ for details on how to verify the integrity of this advisory. +-BEGIN PGP SIGNATURE- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQFCqfvvgHWT4GPEy58RAn37AKCO1mquoh33sAnOG7K4Te5DPZX9lACgo0IJ +YmZlJ+9kZyRgnTEIlvR2HRE= +=DiNk +-END PGP SIGNATURE- @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.009-gzip.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 22:42:36 Branch: HEAD Handle: 2005061021423600 Modified files: openpkg-web/securityOpenPKG-SA-2005.009-gzip.txt Log: release OpenPKG Security Advisory 2005.009 (gzip) Summary: RevisionChanges Path 1.5 +10 -0 openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt $ cvs diff -u -r1.4 -r1.5 OpenPKG-SA-2005.009-gzip.txt --- openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 18:28:10 - 1.4 +++ openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 20:42:36 - 1.5 @@ -1,3 +1,6 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + OpenPKG Security AdvisoryThe OpenPKG Project @@ -80,3 +83,10 @@ for details on how to verify the integrity of this advisory. +-BEGIN PGP SIGNATURE- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQFCqfstgHWT4GPEy58RAiYuAJwJMqdOKQmm6BMByHHSFWp17B28wACgoQ9e +TqauW23Vx/UJBmuofVeB3/I= +=PBsZ +-END PGP SIGNATURE- @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.008-bzip2.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 22:42:09 Branch: HEAD Handle: 2005061021420900 Modified files: openpkg-web/securityOpenPKG-SA-2005.008-bzip2.txt Log: release OpenPKG Security Advisory 2005.008 (bzip2) Summary: RevisionChanges Path 1.5 +10 -0 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt $ cvs diff -u -r1.4 -r1.5 OpenPKG-SA-2005.008-bzip2.txt --- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 18:26:54 - 1.4 +++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 20:42:09 - 1.5 @@ -1,3 +1,6 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + OpenPKG Security AdvisoryThe OpenPKG Project @@ -99,3 +102,10 @@ for details on how to verify the integrity of this advisory. +-BEGIN PGP SIGNATURE- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQFCqfsRgHWT4GPEy58RAlK8AJwJrHocGaqSJyF3B0K32CygMRevsQCfRCx6 +Wk2ihwlYtsP5vSk5sIm9E6g= +=RvKk +-END PGP SIGNATURE- @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.007-cvs.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 22:39:05 Branch: HEAD Handle: 2005061021390500 Modified files: openpkg-web/securityOpenPKG-SA-2005.007-cvs.txt Log: release OpenPKG Security Advisory 2005.007 (cvs) Summary: RevisionChanges Path 1.3 +10 -0 openpkg-web/security/OpenPKG-SA-2005.007-cvs.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.007-cvs.txt $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2005.007-cvs.txt --- openpkg-web/security/OpenPKG-SA-2005.007-cvs.txt 10 Jun 2005 18:22:22 - 1.2 +++ openpkg-web/security/OpenPKG-SA-2005.007-cvs.txt 10 Jun 2005 20:39:05 - 1.3 @@ -1,3 +1,6 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + OpenPKG Security AdvisoryThe OpenPKG Project @@ -70,3 +73,10 @@ for details on how to verify the integrity of this advisory. +-BEGIN PGP SIGNATURE- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQFCqfpYgHWT4GPEy58RAj/7AJ90JXP6HyV0RV0SM6FPhx6wkuxgFwCgjUZI +cdMtnMS/1+Mv+Bo/KJbb+ZY= +=b/HB +-END PGP SIGNATURE- @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/swhoisd/ swhoisd.patch swhoisd.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 22:37:00 Branch: HEAD Handle: 2005061021365901 Modified files: openpkg-src/swhoisd swhoisd.patch swhoisd.spec Log: fix building under Solaris 8 by using the more portable combination of gmtime/mktime instead of timegm Summary: RevisionChanges Path 1.3 +1 -1 openpkg-src/swhoisd/swhoisd.patch 1.3 +1 -1 openpkg-src/swhoisd/swhoisd.spec patch -p0 <<'@@ .' Index: openpkg-src/swhoisd/swhoisd.patch $ cvs diff -u -r1.2 -r1.3 swhoisd.patch --- openpkg-src/swhoisd/swhoisd.patch 31 Mar 2005 16:04:05 - 1.2 +++ openpkg-src/swhoisd/swhoisd.patch 10 Jun 2005 20:36:59 - 1.3 @@ -156,7 +156,7 @@ loctime = localtime_r(&curtime, &tm_buf); +/* Determine timezone offset */ -+timezone = (time_t)((long)timegm(loctime) - (long)curtime); ++timezone = (time_t)((long)mktime(gmtime(&curtime)) - (long)curtime); + /* Immediately save global variable and adjust seconds to minutes: */ timezone_minutes= timezone / 60; @@ . patch -p0 <<'@@ .' Index: openpkg-src/swhoisd/swhoisd.spec $ cvs diff -u -r1.2 -r1.3 swhoisd.spec --- openpkg-src/swhoisd/swhoisd.spec 31 Mar 2005 14:38:02 - 1.2 +++ openpkg-src/swhoisd/swhoisd.spec 10 Jun 2005 20:37:00 - 1.3 @@ -33,7 +33,7 @@ Group:Network License: MIT-style Version: 3.0.5 -Release: 20050331 +Release: 20050610 # list of sources Source0: ftp://dan.drydog.com/pub/swhoisd/swhoisd-%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.010-openpkg.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 20:29:57 Branch: HEAD Handle: 2005061019295700 Modified files: openpkg-web/securityOpenPKG-SA-2005.010-openpkg.txt Log: small cosmetics, including par(1) formatting Summary: RevisionChanges Path 1.2 +19 -18 openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2005.010-openpkg.txt --- openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt 10 Jun 2005 13:37:17 - 1.1 +++ openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt 10 Jun 2005 18:29:57 - 1.2 @@ -3,7 +3,7 @@ OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] -OpenPKG-SA-2005.010 10-June-2005 +OpenPKG-SA-2005.010 10-Jun-2005 Package: openpkg @@ -20,38 +20,39 @@ Dependent Packages: none Description: - The vulnerabilities described by this text affect the openpkg - bootstrap package's gzip and bzip2 embedded software. Similar - advisories [0][1] describe the same vulnerabilities, although - in context of the particular vendor software. + The vulnerabilities described by this text affect the OpenPKG + bootstrap package's GZip and BZip2 embedded software. Similar + advisories [0][1] describe the same vulnerabilities, although in + context of the particular vendor software. - According to a Debian bug report [2], Ulf Harnhammar discovered - an input validation error in the gzip data compressor [3]. Because + According to a Debian bug report [2], Ulf Harnhammar discovered an + input validation error in the GZip data compressor [3]. Because gzip(1) fails to properly validate file paths during decompression with the "-N" argument, a remote attacker using a malicious archive could corrupt arbitrary files with the privileges of the user that is running gzip(1). The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1228 [4] to this problem. - According to a BugTraq posting [5], Imran Ghory discovered a time of - check time of use (TOCTOU) file mode vulnerability in the bzip2 data - compressor [6]. Because bzip2(1) does not safely restore the mode of - a file undergoing compression or decompression, a malicious user can - potentially change the mode of any file belonging to the user running - bzip2(1). The Common Vulnerabilities and Exposures (CVE) project - assigned the identifier CAN-2005-0953 [7] to this problem. + According to a BugTraq posting [5], Imran Ghory discovered a time + of check time of use (TOCTOU) file mode vulnerability in the BZip2 + data compressor [6]. Because bzip2(1) does not safely restore the + mode of a file undergoing compression or decompression, a malicious + user can potentially change the mode of any file belonging to the + user running bzip2(1). The Common Vulnerabilities and Exposures (CVE) + project assigned the identifier CAN-2005-0953 [7] to this problem. - In a unrelated bzip2 problem, a denial of service vulnerability + In a unrelated BZip2 problem, a denial of service vulnerability was found in both the bzip2(1) program and its associated library - libbz2(3). Specially crafted bzip2 archives lead to an infinite loop + libbz2(3). Specially crafted BZip2 archives lead to an infinite loop in the decompressor which results in an indefinitively large output file. This could be exploited to cause disk space exhaustion. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1260 [8] to this problem. Please check whether you are affected by running "/bin/openpkg - rpm -q openpkg". If the openpkg package version is affected (see above), - we recommend that you immediately upgrade it (see Solution) [9][10]. + rpm -q openpkg". If the openpkg package version is affected (see + above), we recommend that you immediately upgrade it (see Solution) + [9][10]. Solution: Select the updated source RPM appropriate for your OpenPKG re
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.009-gzip.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 20:28:10 Branch: HEAD Handle: 2005061019281000 Modified files: openpkg-web/securityOpenPKG-SA-2005.009-gzip.txt Log: small cosmetics Summary: RevisionChanges Path 1.4 +11 -10 openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt $ cvs diff -u -r1.3 -r1.4 OpenPKG-SA-2005.009-gzip.txt --- openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 15:42:33 - 1.3 +++ openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 18:28:10 - 1.4 @@ -3,7 +3,7 @@ OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] -OpenPKG-SA-2005.009 10-June-2005 +OpenPKG-SA-2005.009 10-Jun-2005 Package: gzip @@ -18,21 +18,21 @@ Dependent Packages: none Description: - According to a Debian bug report [0], Ulf Harnhammar discovered - an input validation error in the gzip data compressor [1]. Because + According to a Debian bug report [0], Ulf Harnhammar discovered an + input validation error in the GZip data compressor [1]. Because gzip(1) fails to properly validate file paths during decompression with the "-N" argument, a remote attacker using a malicious archive could corrupt arbitrary files with the privileges of the user that is running gzip(1). The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1228 [2] to this problem. - Because the openpkg bootstrap package embeds gzip, it may be affected - as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [3]. + Because the OpenPKG bootstrap package embeds GZip, it is affected as + well. Please refer to OpenPKG-SA-2005.010-openpkg for details [3]. Please check whether you are affected by running "/bin/openpkg - rpm -q gzip". If you have the "gzip" package installed and its - version is affected (see above), we recommend that you immediately - upgrade it (see Solution) and any dependent packages as well [4][5]. + rpm -q gzip". If you have the "gzip" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) and any dependent packages as well [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release @@ -54,8 +54,9 @@ # /bin/openpkg rpm -Fvh /RPM/PKG/gzip-1.3.5-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages - (see above) as well [4][5]. The openpkg build tool can be instrumental - in consistently updating and securing the entire OpenPKG instance. + (see above) as well [4][5]. The "openpkg build" tool can be + instrumental in consistently updating and securing the entire OpenPKG + instance. References: @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.008-bzip2.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 20:26:54 Branch: HEAD Handle: 2005061019265400 Modified files: openpkg-web/securityOpenPKG-SA-2005.008-bzip2.txt Log: cosmetics again Summary: RevisionChanges Path 1.4 +15 -14 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt $ cvs diff -u -r1.3 -r1.4 OpenPKG-SA-2005.008-bzip2.txt --- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 13:28:42 - 1.3 +++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 18:26:54 - 1.4 @@ -3,7 +3,7 @@ OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] -OpenPKG-SA-2005.008 10-June-2005 +OpenPKG-SA-2005.008 10-Jun-2005 Package: bzip2 @@ -28,24 +28,24 @@ perl-comp perl-mail php::with_bzip2 Description: - According to a BugTraq posting [0], Imran Ghory discovered a time of - check time of use (TOCTOU) file mode vulnerability in the bzip2 data - compressor [1]. Because bzip2(1) does not safely restore the mode of - a file undergoing compression or decompression, a malicious user can - potentially change the mode of any file belonging to the user running - bzip2(1). The Common Vulnerabilities and Exposures (CVE) project - assigned the identifier CAN-2005-0953 [2] to this problem. + According to a BugTraq posting [0], Imran Ghory discovered a time + of check time of use (TOCTOU) file mode vulnerability in the BZip2 + data compressor [1]. Because bzip2(1) does not safely restore the + mode of a file undergoing compression or decompression, a malicious + user can potentially change the mode of any file belonging to the + user running bzip2(1). The Common Vulnerabilities and Exposures (CVE) + project assigned the identifier CAN-2005-0953 [2] to this problem. In a unrelated case, a denial of service vulnerability was found in both the bzip2(1) program and its associated library libbz2(3). - Specially crafted bzip2 archives lead to an infinite loop in the + Specially crafted BZip2 archives lead to an infinite loop in the decompressor which results in an indefinitively large output file. This could be exploited to cause disk space exhaustion. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1260 [3] to this problem. - Because the openpkg bootstrap package embeds bzip2, it may be affected - as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4]. + Because the OpenPKG bootstrap package embeds BZip2, it is affected as + well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4]. Please check whether you are affected by running "/bin/openpkg rpm -q bzip2". If you have the "bzip2" package installed and its @@ -72,13 +72,14 @@ # /bin/openpkg rpm -Fvh /RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages - (see above) as well [5][6]. The openpkg build tool can be instrumental - in consistently updating and securing the entire OpenPKG instance. + (see above) as well [5][6]. The "openpkg build" tool can be + instrumental in consistently updating and securing the entire OpenPKG + instance. References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633 - [1] http://sources.redhat.com/bzip2/ + [1] http://www.bzip.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 [4] http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.007-cvs.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 20:22:22 Branch: HEAD Handle: 200506101900 Modified files: openpkg-web/securityOpenPKG-SA-2005.007-cvs.txt Log: small cosmetics Summary: RevisionChanges Path 1.2 +7 -6 openpkg-web/security/OpenPKG-SA-2005.007-cvs.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.007-cvs.txt $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2005.007-cvs.txt --- openpkg-web/security/OpenPKG-SA-2005.007-cvs.txt 18 May 2005 14:58:07 - 1.1 +++ openpkg-web/security/OpenPKG-SA-2005.007-cvs.txt 10 Jun 2005 18:22:22 - 1.2 @@ -3,7 +3,7 @@ OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] -OpenPKG-SA-2005.007 18-Apr-2005 +OpenPKG-SA-2005.007 10-Jun-2005 Package: cvs @@ -18,11 +18,12 @@ Dependent Packages: none Description: - According to a Debian bug report [0], a denial of service vulnerability - exists in the embedded ZLib [1] compression logic of CVS. The problem - involves incorrect error handling in the inflate() and inflateBack() - functions. The Common Vulnerabilities and Exposures (CVE) project - assigned the identifier CAN-2004-0797 [2] to the problem. + According to a Debian bug report [0], a Denial of Service (DoS) + vulnerability exists in the embedded ZLib [1] compression logic of + the Concurrent Versions Systems (CVS). The problem involves incorrect + error handling in the inflate() and inflateBack() functions. The + Common Vulnerabilities and Exposures (CVE) project assigned the + identifier CAN-2004-0797 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q cvs". If you have the "cvs" package installed and its version @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/pcre/ pcre.patch pcre.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Steffen Weinreich Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 18:47:45 Branch: HEAD Handle: 2005061017474401 Modified files: openpkg-src/pcrepcre.patch pcre.spec Log: Removed C++ targets from makefile and commented out installation of C++ bindings Summary: RevisionChanges Path 1.2 +16 -11 openpkg-src/pcre/pcre.patch 1.41+1 -1 openpkg-src/pcre/pcre.spec patch -p0 <<'@@ .' Index: openpkg-src/pcre/pcre.patch $ cvs diff -u -r1.1 -r1.2 pcre.patch --- openpkg-src/pcre/pcre.patch 9 Jun 2005 12:47:50 - 1.1 +++ openpkg-src/pcre/pcre.patch 10 Jun 2005 16:47:44 - 1.2 @@ -1,18 +1,23 @@ Makefile.in.orig 2005-06-07 10:36:38.0 +0200 -+++ Makefile.in 2005-06-09 14:11:36.152948488 +0200 -@@ -437,9 +437,12 @@ +Index: Makefile.in +--- Makefile.in.orig 2005-06-07 10:36:38 +0200 Makefile.in 2005-06-10 13:56:47 +0200 +@@ -171,7 +171,7 @@ + [EMAIL PROTECTED]@ \ + [EMAIL PROTECTED]@ + +-all:libpcre.la @POSIX_LIB@ @MAYBE_CPP_TARGETS@ [EMAIL PROTECTED]@ [EMAIL PROTECTED]@ @ON_WINDOWS@ winshared ++all:libpcre.la @POSIX_LIB@ [EMAIL PROTECTED]@ [EMAIL PROTECTED]@ @ON_WINDOWS@ winshared + + [EMAIL PROTECTED]@: libpcre.la [EMAIL PROTECTED]@ @ON_WINDOWS@ winshared + $(LINK) -o [EMAIL PROTECTED]@ [EMAIL PROTECTED]@ libpcre.la +@@ -437,8 +437,8 @@ @NOT_ON_WINDOWS@ $(LIBTOOL) --mode=install $(INSTALL) libpcre.la $(DESTDIR)$(LIBDIR)/libpcre.la @NOT_ON_WINDOWS@ echo "$(LIBTOOL) --mode=install $(INSTALL) libpcreposix.la $(DESTDIR)$(LIBDIR)/libpcreposix.la" @NOT_ON_WINDOWS@ $(LIBTOOL) --mode=install $(INSTALL) libpcreposix.la $(DESTDIR)$(LIBDIR)/libpcreposix.la [EMAIL PROTECTED]@ echo "$(LIBTOOL) --mode=install $(INSTALL) libpcrecpp.la $(DESTDIR)$(LIBDIR)/libpcrecpp.la" [EMAIL PROTECTED]@ $(LIBTOOL) --mode=install $(INSTALL) libpcrecpp.la $(DESTDIR)$(LIBDIR)/libpcrecpp.la [EMAIL PROTECTED]@ $(LIBTOOL) --finish $(DESTDIR)$(LIBDIR) [EMAIL PROTECTED]@( if [ -f libpcrecpp.la ] ; then \ -+echo "$(LIBTOOL) --mode=install $(INSTALL) libpcrecpp.la $(DESTDIR)$(LIBDIR)/libpcrecpp.la" ;\ -+$(LIBTOOL) --mode=install $(INSTALL) libpcrecpp.la $(DESTDIR)$(LIBDIR)/libpcrecpp.la ;\ -+$(LIBTOOL) --finish $(DESTDIR)$(LIBDIR) ;\ -+ fi \ -+) [EMAIL PROTECTED]@ # echo "$(LIBTOOL) --mode=install $(INSTALL) libpcrecpp.la $(DESTDIR)$(LIBDIR)/libpcrecpp.la" [EMAIL PROTECTED]@ # $(LIBTOOL) --mode=install $(INSTALL) libpcrecpp.la $(DESTDIR)$(LIBDIR)/libpcrecpp.la + @NOT_ON_WINDOWS@ $(LIBTOOL) --finish $(DESTDIR)$(LIBDIR) $(mkinstalldirs) $(DESTDIR)$(INCDIR) $(INSTALL_DATA) pcre.h $(DESTDIR)$(INCDIR)/pcre.h - $(INSTALL_DATA) $(top_srcdir)/pcreposix.h $(DESTDIR)$(INCDIR)/pcreposix.h @@ . patch -p0 <<'@@ .' Index: openpkg-src/pcre/pcre.spec $ cvs diff -u -r1.40 -r1.41 pcre.spec --- openpkg-src/pcre/pcre.spec9 Jun 2005 12:47:51 - 1.40 +++ openpkg-src/pcre/pcre.spec10 Jun 2005 16:47:45 - 1.41 @@ -33,7 +33,7 @@ Group:Text License: LGPL Version: 6.0 -Release: 20050609 +Release: 20050610 # list of sources Source0: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: OPENPKG_2_3_SOLID: openpkg-src/gzip/ gzip.patch gzip.sp...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 17:48:34 Branch: OPENPKG_2_3_SOLIDHandle: 2005061016483400 Modified files: (Branch: OPENPKG_2_3_SOLID) openpkg-src/gzipgzip.patch gzip.spec Log: correct for OpenPKG-SA-2005.009-gzip (CAN-2005-1228) Summary: RevisionChanges Path 1.2.8.1 +17 -0 openpkg-src/gzip/gzip.patch 1.34.2.2+1 -1 openpkg-src/gzip/gzip.spec patch -p0 <<'@@ .' Index: openpkg-src/gzip/gzip.patch $ cvs diff -u -r1.2 -r1.2.8.1 gzip.patch --- openpkg-src/gzip/gzip.patch 7 Oct 2003 09:27:51 - 1.2 +++ openpkg-src/gzip/gzip.patch 10 Jun 2005 15:48:34 - 1.2.8.1 @@ -22,3 +22,20 @@ #ifndef MAXSEG_64K DECLARE(ush, tab_prefix, 1L
[CVS] OpenPKG: OPENPKG_2_2_SOLID: openpkg-src/gzip/ gzip.patch gzip.sp...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 17:47:31 Branch: OPENPKG_2_2_SOLIDHandle: 2005061016473100 Modified files: (Branch: OPENPKG_2_2_SOLID) openpkg-src/gzipgzip.patch gzip.spec Log: correct for OpenPKG-SA-2005.009-gzip (CAN-2005-1228) Summary: RevisionChanges Path 1.2.6.1 +17 -0 openpkg-src/gzip/gzip.patch 1.33.6.2+1 -1 openpkg-src/gzip/gzip.spec patch -p0 <<'@@ .' Index: openpkg-src/gzip/gzip.patch $ cvs diff -u -r1.2 -r1.2.6.1 gzip.patch --- openpkg-src/gzip/gzip.patch 7 Oct 2003 09:27:51 - 1.2 +++ openpkg-src/gzip/gzip.patch 10 Jun 2005 15:47:31 - 1.2.6.1 @@ -22,3 +22,20 @@ #ifndef MAXSEG_64K DECLARE(ush, tab_prefix, 1L
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.009-gzip.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 17:42:33 Branch: HEAD Handle: 2005061016423300 Modified files: openpkg-web/securityOpenPKG-SA-2005.009-gzip.txt Log: no embedded gzip dependencies were found Summary: RevisionChanges Path 1.3 +1 -4 openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2005.009-gzip.txt --- openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 13:31:09 - 1.2 +++ openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 15:42:33 - 1.3 @@ -15,10 +15,7 @@ OpenPKG 2.3 <= gzip-1.3.5-2.3.0 >= gzip-1.3.5-2.3.1 OpenPKG 2.2 <= gzip-1.3.5-2.2.0 >= gzip-1.3.5-2.2.1 -Affected Releases: Dependent Packages: -OpenPKG CURRENT XY -OpenPKG 2.3 XY -OpenPKG 2.2 XY +Dependent Packages: none Description: According to a Debian bug report [0], Ulf Harnhammar discovered @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/openpkg/ gzip.c
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 17:25:22 Branch: HEAD Handle: 2005061016252200 Modified files: openpkg-src/openpkg gzip.c Log: Fix syntax error (declaring a variable within the function body is allowed under ISO C99 only) Summary: RevisionChanges Path 1.2 +2 -2 openpkg-src/openpkg/gzip.c patch -p0 <<'@@ .' Index: openpkg-src/openpkg/gzip.c $ cvs diff -u -r1.1 -r1.2 gzip.c --- openpkg-src/openpkg/gzip.c10 Jun 2005 13:51:55 - 1.1 +++ openpkg-src/openpkg/gzip.c10 Jun 2005 15:25:22 - 1.2 @@ -69,7 +69,7 @@ */ #ifdef RCSID -static char rcsid[] = "$Id: gzip.c,v 1.1 2005/06/10 13:51:55 ms Exp $"; +static char rcsid[] = "$Id: gzip.c,v 1.2 2005/06/10 15:25:22 rse Exp $"; #endif #include @@ -946,6 +946,7 @@ { struct stat ostat; /* stat for ofname */ int flags = O_WRONLY | O_CREAT | O_EXCL | O_BINARY; +char *baseout; if (ascii && decompress) { flags &= ~O_BINARY; /* force ascii text mode */ @@ -958,7 +959,6 @@ } /* Create the output file */ remove_ofname = 1; - char *baseout; baseout = base_name(ofname); strncpy(ofname, baseout, sizeof(ofname)); ofname[sizeof(ofname) - 1] = '\0'; @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/distcache/ distcache.spec openpkg-src/dsh/ ...
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 15:50:56 Branch: HEAD Handle: 2005061014505402 Modified files: openpkg-src/distcache distcache.spec openpkg-src/dsh dsh.spec openpkg-src/ex ex.spec openpkg-src/libdnet libdnet.spec openpkg-src/libwmf libwmf.spec openpkg-src/pkgconfig pkgconfig.spec openpkg-src/proftpd proftpd.spec openpkg-src/sio sio.spec openpkg-src/val val.spec Log: one hack to rule them all and rescue rm2-ix86-debian3.1: remove the nonessential and incomplete test for a C++ preprocessor Summary: RevisionChanges Path 1.14+4 -1 openpkg-src/distcache/distcache.spec 1.38+4 -1 openpkg-src/dsh/dsh.spec 1.24+4 -1 openpkg-src/ex/ex.spec 1.28+4 -2 openpkg-src/libdnet/libdnet.spec 1.26+3 -2 openpkg-src/libwmf/libwmf.spec 1.30+4 -1 openpkg-src/pkgconfig/pkgconfig.spec 1.94+4 -1 openpkg-src/proftpd/proftpd.spec 1.11+4 -1 openpkg-src/sio/sio.spec 1.18+4 -1 openpkg-src/val/val.spec patch -p0 <<'@@ .' Index: openpkg-src/distcache/distcache.spec $ cvs diff -u -r1.13 -r1.14 distcache.spec --- openpkg-src/distcache/distcache.spec 24 Mar 2005 11:18:40 - 1.13 +++ openpkg-src/distcache/distcache.spec 10 Jun 2005 13:50:54 - 1.14 @@ -33,7 +33,7 @@ Group:Cryptography License: LGPL Version: 1.5.1 -Release: 20041020 +Release: 20050610 # list of sources Source0: http://osdn.dl.sourceforge.net/sourceforge/distcache/distcache-%{version}.tar.bz2 @@ -66,6 +66,9 @@ %prep %setup -q %patch -p0 +%{l_shtool} subst \ +-e '/LINENO: error: C[+]* preprocessor/{N;N;N;N;s/.*/:/;}' \ +configure ssl/configure %build CC="%{l_cc}" \ @@ . patch -p0 <<'@@ .' Index: openpkg-src/dsh/dsh.spec $ cvs diff -u -r1.37 -r1.38 dsh.spec --- openpkg-src/dsh/dsh.spec 8 Apr 2005 06:19:16 - 1.37 +++ openpkg-src/dsh/dsh.spec 10 Jun 2005 13:50:54 - 1.38 @@ -37,7 +37,7 @@ Group:Shell License: GPL Version: %{V_dsh} -Release: 20050408 +Release: 20050610 # list of sources Source0: http://www.netfort.gr.jp/~dancer/software/downloads/dsh-%{V_dsh}.tar.gz @@ -73,6 +73,9 @@ %setup -q %setup -q -T -D -a 1 %patch -p0 +%{l_shtool} subst \ +-e '/LINENO: error: C[+]* preprocessor/{N;N;N;N;s/.*/:/;}' \ +configure %build # build libdshconfig @@ . patch -p0 <<'@@ .' Index: openpkg-src/ex/ex.spec $ cvs diff -u -r1.23 -r1.24 ex.spec --- openpkg-src/ex/ex.spec24 Mar 2005 11:18:44 - 1.23 +++ openpkg-src/ex/ex.spec10 Jun 2005 13:50:54 - 1.24 @@ -33,7 +33,7 @@ Group:System License: MIT/X11-style Version: 1.0.4 -Release: 20040405 +Release: 20050610 # list of sources Source0: ftp://ftp.ossp.org/pkg/lib/ex/ex-%{version}.tar.gz @@ -68,6 +68,9 @@ %prep %setup -q +%{l_shtool} subst \ +-e '/LINENO: error: C[+]* preprocessor/{N;N;N;N;s/.*/:/;}' \ +configure %build CC="%{l_cc}" \ @@ . patch -p0 <<'@@ .' Index: openpkg-src/libdnet/libdnet.spec $ cvs diff -u -r1.27 -r1.28 libdnet.spec --- openpkg-src/libdnet/libdnet.spec 24 Mar 2005 11:19:15 - 1.27 +++ openpkg-src/libdnet/libdnet.spec 10 Jun 2005 13:50:55 - 1.28 @@ -33,7 +33,7 @@ Group: Network License: MIT-style Version: 1.10 -Release: 20050226 +Release: 20050610 # list of sources Source0: http://osdn.dl.sourceforge.net/sourceforge/libdnet/libdnet-%{version}.tar.gz @@ -63,7 +63,9 @@ %prep %setup -q -touch configure +%{l_shtool} subst \ +-e '/ error: C[+]* preprocessor/{N;N;s/.*/:/;}' \ +c
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.010-openpkg.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 15:37:17 Branch: HEAD Handle: 2005061014371700 Added files: openpkg-web/securityOpenPKG-SA-2005.010-openpkg.txt Log: for improved clarity, document the problems from OpenPKG-SA-2005.008-bzip2 and OpenPKG-SA-2005.009-gzip in a new OpenPKG-SA-2005.010-openpkg with scope narrowed to only regard the OpenPKG bootstrap package "openpkg" Summary: RevisionChanges Path 1.1 +101 -0 openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.010-openpkg.txt --- /dev/null 2005-06-10 15:37:03 +0200 +++ OpenPKG-SA-2005.010-openpkg.txt 2005-06-10 15:37:17 +0200 @@ -0,0 +1,101 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.010 10-June-2005 + + +Package: openpkg +Vulnerability: arbitrary file mode modification, + arbitrary path writing, + denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= openpkg-20050609-20050609 >= openpkg-20050610-20050610 +OpenPKG 2.3 <= openpkg-2.2.2-2.2.2 >= openpkg-2.2.3-2.2.3 +OpenPKG 2.2 <= openpkg-2.3.1-2.3.1 >= openpkg-2.3.2-2.3.2 + +Dependent Packages: none + +Description: + The vulnerabilities described by this text affect the openpkg + bootstrap package's gzip and bzip2 embedded software. Similar + advisories [0][1] describe the same vulnerabilities, although + in context of the particular vendor software. + + According to a Debian bug report [2], Ulf Harnhammar discovered + an input validation error in the gzip data compressor [3]. Because + gzip(1) fails to properly validate file paths during decompression + with the "-N" argument, a remote attacker using a malicious archive + could corrupt arbitrary files with the privileges of the user that + is running gzip(1). The Common Vulnerabilities and Exposures (CVE) + project assigned the identifier CAN-2005-1228 [4] to this problem. + + According to a BugTraq posting [5], Imran Ghory discovered a time of + check time of use (TOCTOU) file mode vulnerability in the bzip2 data + compressor [6]. Because bzip2(1) does not safely restore the mode of + a file undergoing compression or decompression, a malicious user can + potentially change the mode of any file belonging to the user running + bzip2(1). The Common Vulnerabilities and Exposures (CVE) project + assigned the identifier CAN-2005-0953 [7] to this problem. + + In a unrelated bzip2 problem, a denial of service vulnerability + was found in both the bzip2(1) program and its associated library + libbz2(3). Specially crafted bzip2 archives lead to an infinite loop + in the decompressor which results in an indefinitively large output + file. This could be exploited to cause disk space exhaustion. The + Common Vulnerabilities and Exposures (CVE) project assigned the + identifier CAN-2005-1260 [8] to this problem. + + Please check whether you are affected by running "/bin/openpkg + rpm -q openpkg". If the openpkg package version is affected (see above), + we recommend that you immediately upgrade it (see Solution) [9][10]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [11][12], fetch it from the OpenPKG FTP service [13][14] or a mirror + location, verify its integrity [15], build a corresponding binary + RPM from it [9] and update your OpenPKG installation by applying the + binary RPM [10]. For the most recent release OpenPKG 2.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.3/UPD + ftp> get openpkg-2.3.2-2.3.2.src.rpm + ftp> bye + $ /bin/openpk
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.009-gzip.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 15:31:09 Branch: HEAD Handle: 2005061014310900 Modified files: openpkg-web/securityOpenPKG-SA-2005.009-gzip.txt Log: correct package name and formatting, and refer to OpenPKG-SA-2005.010-openpkg where the bootstrap package is treated for embedded gzip errors Summary: RevisionChanges Path 1.2 +22 -18 openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2005.009-gzip.txt --- openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 12:32:22 - 1.1 +++ openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt 10 Jun 2005 13:31:09 - 1.2 @@ -24,22 +24,25 @@ According to a Debian bug report [0], Ulf Harnhammar discovered an input validation error in the gzip data compressor [1]. Because gzip(1) fails to properly validate file paths during decompression - with the '-N' argument, a remote attacker using a malicious archive + with the "-N" argument, a remote attacker using a malicious archive could corrupt arbitrary files with the privileges of the user that is running gzip(1). The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1228 [2] to this problem. + Because the openpkg bootstrap package embeds gzip, it may be affected + as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [3]. + Please check whether you are affected by running "/bin/openpkg - rpm -q bzip2". If you have the "bzip2" package installed and its + rpm -q gzip". If you have the "gzip" package installed and its version is affected (see above), we recommend that you immediately - upgrade it (see Solution) and any dependent packages as well [3][4]. + upgrade it (see Solution) and any dependent packages as well [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release - [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror - location, verify its integrity [9], build a corresponding binary - RPM from it [3] and update your OpenPKG installation by applying the - binary RPM [4]. For the most recent release OpenPKG 2.3, perform the + [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror + location, verify its integrity [10], build a corresponding binary + RPM from it [4] and update your OpenPKG installation by applying the + binary RPM [5]. For the most recent release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). @@ -54,21 +57,22 @@ # /bin/openpkg rpm -Fvh /RPM/PKG/gzip-1.3.5-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages - (see above) as well [3][4]. The openpkg build tool can be instrumental + (see above) as well [4][5]. The openpkg build tool can be instrumental in consistently updating and securing the entire OpenPKG instance. References: - [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 - [1] http://www.gzip.org/ - [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 - [3] http://www.openpkg.org/tutorial.html#regular-source - [4] http://www.openpkg.org/tutorial.html#regular-binary - [5] ftp://ftp.openpkg.org/release/2.3/UPD/gzip-1.3.5-2.3.1.src.rpm - [6] ftp://ftp.openpkg.org/release/2.2/UPD/gzip-1.3.5-2.2.1.src.rpm - [7] ftp://ftp.openpkg.org/release/2.3/UPD/ - [8] ftp://ftp.openpkg.org/release/2.2/UPD/ - [9] http://www.openpkg.org/security.html#signature + [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 + [1] http://www.gzip.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 + [3] http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html + [4] http://www.openpkg.org/tutorial.html#regular-source + [5] http://www.openpkg.org/tutorial.html#regular-binary + [6] ftp://ftp.openpkg.org/release/2.3/UPD/gzip-1.3.5-2.3.1.src.rpm + [7] ftp://ftp.openpkg.org/release/2.2/UPD/gzip-1.3.5-2.2.1.src.rpm + [8] ftp://ftp.openpkg.org/release/2.3/UPD/ + [9] ftp://ftp.openpkg.org/release/2.2/UPD/ + [10] http://www.openpkg.org/security.html#signature
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.008-bzip2.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 15:28:42 Branch: HEAD Handle: 2005061014284200 Modified files: openpkg-web/securityOpenPKG-SA-2005.008-bzip2.txt Log: replace text regarding the affected bootstrap package with a reference to OpenPKG-SA-2005.010-openpkg, where it is treated separately Summary: RevisionChanges Path 1.3 +19 -18 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2005.008-bzip2.txt --- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt8 Jun 2005 12:40:47 - 1.2 +++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 13:28:42 - 1.3 @@ -3,22 +3,19 @@ OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] -OpenPKG-SA-2005.008 08-June-2005 +OpenPKG-SA-2005.008 10-June-2005 -Package: bzip2, openpkg, analog +Package: bzip2 Vulnerability: arbitrary file mode modification, denial of service OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= bzip2-1.0.2-20050324 >= bzip2-1.0.3-20050506 - <= openpkg-20050527-20050527 >= openpkg-20050606-20050606 <= analog-6.0-20041220 >= analog-6.0-20050608 OpenPKG 2.3 <= bzip2-1.0.2-2.3.0 >= bzip2-1.0.2-2.3.1 - <= openpkg-2.2.2-2.2.2 >= openpkg-2.2.3-2.2.3 <= analog-6.0-2.3.0 >= analog-6.0-2.3.1 OpenPKG 2.2 <= bzip2-1.0.2-2.2.0 >= bzip2-1.0.2-2.2.1 - <= openpkg-2.3.1-2.3.1 >= openpkg-2.3.2-2.3.2 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_bzip2 bsdtar clamav gnupg @@ -47,17 +44,20 @@ Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1260 [3] to this problem. + Because the openpkg bootstrap package embeds bzip2, it may be affected + as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4]. + Please check whether you are affected by running "/bin/openpkg rpm -q bzip2". If you have the "bzip2" package installed and its version is affected (see above), we recommend that you immediately - upgrade it (see Solution) and any dependent packages as well [4][5]. + upgrade it (see Solution) and any dependent packages as well [5][6]. Solution: Select the updated source RPM appropriate for your OpenPKG release - [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror - location, verify its integrity [10], build a corresponding binary - RPM from it [4] and update your OpenPKG installation by applying the - binary RPM [5]. For the most recent release OpenPKG 2.3, perform the + [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror + location, verify its integrity [11], build a corresponding binary + RPM from it [5] and update your OpenPKG installation by applying the + binary RPM [6]. For the most recent release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). @@ -72,7 +72,7 @@ # /bin/openpkg rpm -Fvh /RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages - (see above) as well [4][5]. The openpkg build tool can be instrumental + (see above) as well [5][6]. The openpkg build tool can be instrumental in consistently updating and securing the entire OpenPKG instance. @@ -81,13 +81,14 @@ [1] http://sources.redhat.com/bzip2/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 - [4] http://www.openpkg.org/tutorial.html#regular-source - [5] http://www.openpkg.org/tutorial.html#regular-binary - [6] ftp://ftp.openpkg.org/release/2.3/UPD/bzip2-1.0.2-2.3
[CVS] OpenPKG: CVSROOT/ shiela
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: CVSROOT Date: 10-Jun-2005 14:46:38 Branch: HEAD Handle: 2005061013463600 Modified files: CVSROOT shiela Log: add a really shameless hack to OpenPKG.org's OSSP shiela copy for sending commit summaries in real-time to irc.openpkg.org's #foundation channel Summary: RevisionChanges Path 1.21+13 -0 CVSROOT/shiela Change details: http://cvs.openpkg.org/filediff?f=CVSROOT/shiela&v1=1.20&v2=1.21 __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/gaim/ gaim.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 14:44:45 Branch: HEAD Handle: 2005061013444500 Modified files: openpkg-src/gaimgaim.spec Log: upgrading package: gaim 1.3.0 -> 1.3.1 Summary: RevisionChanges Path 1.5 +2 -2 openpkg-src/gaim/gaim.spec patch -p0 <<'@@ .' Index: openpkg-src/gaim/gaim.spec $ cvs diff -u -r1.4 -r1.5 gaim.spec --- openpkg-src/gaim/gaim.spec26 May 2005 19:27:19 - 1.4 +++ openpkg-src/gaim/gaim.spec10 Jun 2005 12:44:45 - 1.5 @@ -32,8 +32,8 @@ Class:EVAL Group:Network License: GPL -Version: 1.3.0 -Release: 20050526 +Version: 1.3.1 +Release: 20050610 # list of sources Source0: http://osdn.dl.sourceforge.net/gaim/gaim-%{version}.tar.bz2 @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-tools/ BRAINSTORM
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-toolsDate: 10-Jun-2005 14:40:34 Branch: HEAD Handle: 2005061013403400 Modified files: openpkg-tools BRAINSTORM Log: 3nd test commit for IRC BARKER Summary: RevisionChanges Path 1.5 +1 -1 openpkg-tools/BRAINSTORM patch -p0 <<'@@ .' Index: openpkg-tools/BRAINSTORM $ cvs diff -u -r1.4 -r1.5 BRAINSTORM --- openpkg-tools/BRAINSTORM 10 Jun 2005 12:40:12 - 1.4 +++ openpkg-tools/BRAINSTORM 10 Jun 2005 12:40:34 - 1.5 @@ -81,7 +81,7 @@ openpkg rpm RPM CLI (part of bootstrap) openpkg summary Check /etc/openpkg ... -openpkg index +openpkg index openpkg build openpkg resolve openpkg query @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-tools/ BRAINSTORM
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-toolsDate: 10-Jun-2005 14:40:13 Branch: HEAD Handle: 2005061013401200 Modified files: openpkg-tools BRAINSTORM Log: 2nd test commit for IRC BARKER Summary: RevisionChanges Path 1.4 +1 -1 openpkg-tools/BRAINSTORM patch -p0 <<'@@ .' Index: openpkg-tools/BRAINSTORM $ cvs diff -u -r1.3 -r1.4 BRAINSTORM --- openpkg-tools/BRAINSTORM 10 Jun 2005 12:37:27 - 1.3 +++ openpkg-tools/BRAINSTORM 10 Jun 2005 12:40:12 - 1.4 @@ -81,7 +81,7 @@ openpkg rpm RPM CLI (part of bootstrap) openpkg summary Check /etc/openpkg ... -openpkg index +openpkg index openpkg build openpkg resolve openpkg query @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-tools/ BRAINSTORM
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-toolsDate: 10-Jun-2005 14:37:27 Branch: HEAD Handle: 2005061013372700 Modified files: openpkg-tools BRAINSTORM Log: test commit for IRC BARKER Summary: RevisionChanges Path 1.3 +1 -1 openpkg-tools/BRAINSTORM patch -p0 <<'@@ .' Index: openpkg-tools/BRAINSTORM $ cvs diff -u -r1.2 -r1.3 BRAINSTORM --- openpkg-tools/BRAINSTORM 24 Nov 2004 15:06:00 - 1.2 +++ openpkg-tools/BRAINSTORM 10 Jun 2005 12:37:27 - 1.3 @@ -81,7 +81,7 @@ openpkg rpm RPM CLI (part of bootstrap) openpkg summary Check /etc/openpkg ... -openpkg index +openpkg index openpkg build openpkg resolve openpkg query @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.009-gzip.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 14:32:22 Branch: HEAD Handle: 2005061013322200 Added files: openpkg-web/securityOpenPKG-SA-2005.009-gzip.txt Log: reserve SA numer 2005.009 for gzip vulnerability, and edit SA first draft Summary: RevisionChanges Path 1.1 +80 -0 openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.009-gzip.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.009-gzip.txt --- /dev/null 2005-06-10 14:32:19 +0200 +++ OpenPKG-SA-2005.009-gzip.txt 2005-06-10 14:32:22 +0200 @@ -0,0 +1,80 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.009 10-June-2005 + + +Package: gzip +Vulnerability: arbitrary path writing +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= gzip-1.3.5-20040207 >= gzip-1.3.5-20050610 +OpenPKG 2.3 <= gzip-1.3.5-2.3.0 >= gzip-1.3.5-2.3.1 +OpenPKG 2.2 <= gzip-1.3.5-2.2.0 >= gzip-1.3.5-2.2.1 + +Affected Releases: Dependent Packages: +OpenPKG CURRENT XY +OpenPKG 2.3 XY +OpenPKG 2.2 XY + +Description: + According to a Debian bug report [0], Ulf Harnhammar discovered + an input validation error in the gzip data compressor [1]. Because + gzip(1) fails to properly validate file paths during decompression + with the '-N' argument, a remote attacker using a malicious archive + could corrupt arbitrary files with the privileges of the user that + is running gzip(1). The Common Vulnerabilities and Exposures (CVE) + project assigned the identifier CAN-2005-1228 [2] to this problem. + + Please check whether you are affected by running "/bin/openpkg + rpm -q bzip2". If you have the "bzip2" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution) and any dependent packages as well [3][4]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror + location, verify its integrity [9], build a corresponding binary + RPM from it [3] and update your OpenPKG installation by applying the + binary RPM [4]. For the most recent release OpenPKG 2.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.3/UPD + ftp> get gzip-1.3.5-2.3.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig gzip-1.3.5-2.3.1.src.rpm + $ /bin/openpkg rpm --rebuild gzip-1.3.5-2.3.1.src.rpm + $ su - + # /bin/openpkg rpm -Fvh /RPM/PKG/gzip-1.3.5-2.3.1.*.rpm + + We recommend that you rebuild and reinstall any dependent packages + (see above) as well [3][4]. The openpkg build tool can be instrumental + in consistently updating and securing the entire OpenPKG instance. + + +References: + [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 + [1] http://www.gzip.org/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/2.3/UPD/gzip-1.3.5-2.3.1.src.rpm + [6] ftp://ftp.openpkg.org/release/2.2/UPD/gzip-1.3.5-2.2.1.src.rpm + [7] ftp://ftp.openpkg.org/release/2.3/UPD/ + [8] ftp://ftp.openpkg.org/release/2.2/UPD/ + [9] http://www.openpkg.org/security.html#signature + + +For security reasons, this advisory was digitally signed with the +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the +OpenPKG project which you can retrieve from http://pgp.openpkg
[CVS] OpenPKG: openpkg-src/sasl/ sasl.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 13:32:39 Branch: HEAD Handle: 2005061012323900 Modified files: openpkg-src/saslsasl.spec Log: link all sasl objects into one dir to make both ar(1) and dependency checking happy Summary: RevisionChanges Path 1.130 +2 -2 openpkg-src/sasl/sasl.spec patch -p0 <<'@@ .' Index: openpkg-src/sasl/sasl.spec $ cvs diff -u -r1.129 -r1.130 sasl.spec --- openpkg-src/sasl/sasl.spec26 May 2005 19:06:56 - 1.129 +++ openpkg-src/sasl/sasl.spec10 Jun 2005 11:32:39 - 1.130 @@ -33,7 +33,7 @@ Group:Cryptography License: BSD Version: 2.1.21 -Release: 20050526 +Release: 20050610 # package options %option with_fslyes @@ -225,7 +225,7 @@ lib/dlopen.c # post adjustment: do not pull static plugins into static library %{l_shtool} subst \ --e '/^SASL_STATIC_OBJS/s;\.\./plugins/[^ ]* *;;g' \ +-e 's;-ln -s $(SASL_STATIC_SRCS) .;-ln ../sasldb/*.o ../plugins/*.o $(SASL_STATIC_SRCS) .;' \ lib/Makefile # post adjustment: build utils against static library %{l_shtool} subst \ @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/wget/ wget.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 09:43:59 Branch: HEAD Handle: 2005061008435900 Modified files: openpkg-src/wgetwget.spec Log: upgrading package: wget 1.9.1 -> 1.10 Summary: RevisionChanges Path 1.41+2 -2 openpkg-src/wget/wget.spec patch -p0 <<'@@ .' Index: openpkg-src/wget/wget.spec $ cvs diff -u -r1.40 -r1.41 wget.spec --- openpkg-src/wget/wget.spec24 Mar 2005 11:20:40 - 1.40 +++ openpkg-src/wget/wget.spec10 Jun 2005 07:43:59 - 1.41 @@ -32,8 +32,8 @@ Class:BASE Group:Web License: GPL -Version: 1.9.1 -Release: 20040207 +Version: 1.10 +Release: 20050610 # list of sources Source0: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-src/libsigcxx/ libsigcxx.spec
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Jun-2005 09:42:43 Branch: HEAD Handle: 2005061008424300 Modified files: openpkg-src/libsigcxx libsigcxx.spec Log: upgrading package: libsigcxx 2.0.12 -> 2.0.13 Summary: RevisionChanges Path 1.6 +2 -2 openpkg-src/libsigcxx/libsigcxx.spec patch -p0 <<'@@ .' Index: openpkg-src/libsigcxx/libsigcxx.spec $ cvs diff -u -r1.5 -r1.6 libsigcxx.spec --- openpkg-src/libsigcxx/libsigcxx.spec 12 May 2005 18:19:32 - 1.5 +++ openpkg-src/libsigcxx/libsigcxx.spec 10 Jun 2005 07:42:43 - 1.6 @@ -25,7 +25,7 @@ # FIXME MSvB: Still needs renaming of versioned libs # package version -%define V_libsigcxx2.0.12 +%define V_libsigcxx2.0.13 %define V_libsigcxx_major 2.0 # package information @@ -39,7 +39,7 @@ Group:Development License: LGPL Version: %{V_libsigcxx} -Release: 20050512 +Release: 20050610 # list of sources Source0: ftp://ftp.gnome.org/pub/GNOME/sources/libsigc++/%{V_libsigcxx_major}/libsigc++-%{version}.tar.bz2 @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org