[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.008-bzip2.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 22:42:09 Branch: HEAD Handle: 2005061021420900 Modified files: openpkg-web/securityOpenPKG-SA-2005.008-bzip2.txt Log: release OpenPKG Security Advisory 2005.008 (bzip2) Summary: RevisionChanges Path 1.5 +10 -0 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt $ cvs diff -u -r1.4 -r1.5 OpenPKG-SA-2005.008-bzip2.txt --- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 18:26:54 - 1.4 +++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 20:42:09 - 1.5 @@ -1,3 +1,6 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + OpenPKG Security AdvisoryThe OpenPKG Project @@ -99,3 +102,10 @@ for details on how to verify the integrity of this advisory. +-BEGIN PGP SIGNATURE- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQFCqfsRgHWT4GPEy58RAlK8AJwJrHocGaqSJyF3B0K32CygMRevsQCfRCx6 +Wk2ihwlYtsP5vSk5sIm9E6g= +=RvKk +-END PGP SIGNATURE- @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.008-bzip2.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 20:26:54 Branch: HEAD Handle: 2005061019265400 Modified files: openpkg-web/securityOpenPKG-SA-2005.008-bzip2.txt Log: cosmetics again Summary: RevisionChanges Path 1.4 +15 -14 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt $ cvs diff -u -r1.3 -r1.4 OpenPKG-SA-2005.008-bzip2.txt --- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 13:28:42 - 1.3 +++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 18:26:54 - 1.4 @@ -3,7 +3,7 @@ OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] -OpenPKG-SA-2005.008 10-June-2005 +OpenPKG-SA-2005.008 10-Jun-2005 Package: bzip2 @@ -28,24 +28,24 @@ perl-comp perl-mail php::with_bzip2 Description: - According to a BugTraq posting [0], Imran Ghory discovered a time of - check time of use (TOCTOU) file mode vulnerability in the bzip2 data - compressor [1]. Because bzip2(1) does not safely restore the mode of - a file undergoing compression or decompression, a malicious user can - potentially change the mode of any file belonging to the user running - bzip2(1). The Common Vulnerabilities and Exposures (CVE) project - assigned the identifier CAN-2005-0953 [2] to this problem. + According to a BugTraq posting [0], Imran Ghory discovered a time + of check time of use (TOCTOU) file mode vulnerability in the BZip2 + data compressor [1]. Because bzip2(1) does not safely restore the + mode of a file undergoing compression or decompression, a malicious + user can potentially change the mode of any file belonging to the + user running bzip2(1). The Common Vulnerabilities and Exposures (CVE) + project assigned the identifier CAN-2005-0953 [2] to this problem. In a unrelated case, a denial of service vulnerability was found in both the bzip2(1) program and its associated library libbz2(3). - Specially crafted bzip2 archives lead to an infinite loop in the + Specially crafted BZip2 archives lead to an infinite loop in the decompressor which results in an indefinitively large output file. This could be exploited to cause disk space exhaustion. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1260 [3] to this problem. - Because the openpkg bootstrap package embeds bzip2, it may be affected - as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4]. + Because the OpenPKG bootstrap package embeds BZip2, it is affected as + well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4]. Please check whether you are affected by running "/bin/openpkg rpm -q bzip2". If you have the "bzip2" package installed and its @@ -72,13 +72,14 @@ # /bin/openpkg rpm -Fvh /RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages - (see above) as well [5][6]. The openpkg build tool can be instrumental - in consistently updating and securing the entire OpenPKG instance. + (see above) as well [5][6]. The "openpkg build" tool can be + instrumental in consistently updating and securing the entire OpenPKG + instance. References: [0] http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633 - [1] http://sources.redhat.com/bzip2/ + [1] http://www.bzip.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 [4] http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.008-bzip2.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 10-Jun-2005 15:28:42 Branch: HEAD Handle: 2005061014284200 Modified files: openpkg-web/securityOpenPKG-SA-2005.008-bzip2.txt Log: replace text regarding the affected bootstrap package with a reference to OpenPKG-SA-2005.010-openpkg, where it is treated separately Summary: RevisionChanges Path 1.3 +19 -18 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2005.008-bzip2.txt --- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt8 Jun 2005 12:40:47 - 1.2 +++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt10 Jun 2005 13:28:42 - 1.3 @@ -3,22 +3,19 @@ OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] -OpenPKG-SA-2005.008 08-June-2005 +OpenPKG-SA-2005.008 10-June-2005 -Package: bzip2, openpkg, analog +Package: bzip2 Vulnerability: arbitrary file mode modification, denial of service OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= bzip2-1.0.2-20050324 >= bzip2-1.0.3-20050506 - <= openpkg-20050527-20050527 >= openpkg-20050606-20050606 <= analog-6.0-20041220 >= analog-6.0-20050608 OpenPKG 2.3 <= bzip2-1.0.2-2.3.0 >= bzip2-1.0.2-2.3.1 - <= openpkg-2.2.2-2.2.2 >= openpkg-2.2.3-2.2.3 <= analog-6.0-2.3.0 >= analog-6.0-2.3.1 OpenPKG 2.2 <= bzip2-1.0.2-2.2.0 >= bzip2-1.0.2-2.2.1 - <= openpkg-2.3.1-2.3.1 >= openpkg-2.3.2-2.3.2 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_bzip2 bsdtar clamav gnupg @@ -47,17 +44,20 @@ Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-1260 [3] to this problem. + Because the openpkg bootstrap package embeds bzip2, it may be affected + as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4]. + Please check whether you are affected by running "/bin/openpkg rpm -q bzip2". If you have the "bzip2" package installed and its version is affected (see above), we recommend that you immediately - upgrade it (see Solution) and any dependent packages as well [4][5]. + upgrade it (see Solution) and any dependent packages as well [5][6]. Solution: Select the updated source RPM appropriate for your OpenPKG release - [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror - location, verify its integrity [10], build a corresponding binary - RPM from it [4] and update your OpenPKG installation by applying the - binary RPM [5]. For the most recent release OpenPKG 2.3, perform the + [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror + location, verify its integrity [11], build a corresponding binary + RPM from it [5] and update your OpenPKG installation by applying the + binary RPM [6]. For the most recent release OpenPKG 2.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). @@ -72,7 +72,7 @@ # /bin/openpkg rpm -Fvh /RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm We recommend that you rebuild and reinstall any dependent packages - (see above) as well [4][5]. The openpkg build tool can be instrumental + (see above) as well [5][6]. The openpkg build tool can be instrumental in consistently updating and securing the entire OpenPKG instance. @@ -81,13 +81,14 @@ [1] http://sources.redhat.com/bzip2/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 - [4] http://www.openpkg.org/tutorial.html#regular-source - [5] http://www.openpkg.org/tutorial.html#regular-binary - [6] ftp://ftp.openpkg.org/release/2.3/UPD/bzip2-1.0.2-2.3
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.008-bzip2.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 08-Jun-2005 14:40:47 Branch: HEAD Handle: 2005060813404700 Modified files: openpkg-web/securityOpenPKG-SA-2005.008-bzip2.txt Log: add analog-6.0 packages to affected OpenPKG package list (containing embedded libbz2) and improve formatting Summary: RevisionChanges Path 1.2 +10 -8 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2005.008-bzip2.txt --- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt6 Jun 2005 19:13:53 - 1.1 +++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt8 Jun 2005 12:40:47 - 1.2 @@ -3,26 +3,28 @@ OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] -OpenPKG-SA-2005.008 06-June-2005 +OpenPKG-SA-2005.008 08-June-2005 -Package: bzip2 +Package: bzip2, openpkg, analog Vulnerability: arbitrary file mode modification, denial of service OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= bzip2-1.0.2-20050324 >= bzip2-1.0.3-20050506 <= openpkg-20050527-20050527 >= openpkg-20050606-20050606 + <= analog-6.0-20041220 >= analog-6.0-20050608 OpenPKG 2.3 <= bzip2-1.0.2-2.3.0 >= bzip2-1.0.2-2.3.1 <= openpkg-2.2.2-2.2.2 >= openpkg-2.2.3-2.2.3 + <= analog-6.0-2.3.0 >= analog-6.0-2.3.1 OpenPKG 2.2 <= bzip2-1.0.2-2.2.0 >= bzip2-1.0.2-2.2.1 <= openpkg-2.3.1-2.3.1 >= openpkg-2.3.2-2.3.2 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_bzip2 bsdtar clamav gnupg - imagemagick libarchive perl-comp perl-mail - pgpdump php::with_bzip2 php5::with_bzip2 - python::with_bzip2 r rzip + imagemagick libarchive perl-comp perl-mail pgpdump + php::with_bzip2 php5::with_bzip2 python::with_bzip2 + r rzip OpenPKG 2.3 apache::with_mod_php_bzip2 clamav gnupg imagemagick perl-comp perl-mail php::with_bzip2 php5::with_bzip2 OpenPKG 2.2 apache::with_mod_php_bzip2 clamav imagemagick @@ -46,9 +48,9 @@ CAN-2005-1260 [3] to this problem. Please check whether you are affected by running "/bin/openpkg - rpm -q bzip2". If you have the "bzip2" package installed and its version - is affected (see above), we recommend that you immediately upgrade it - (see Solution) and any dependent packages as well [4][5]. + rpm -q bzip2". If you have the "bzip2" package installed and its + version is affected (see above), we recommend that you immediately + upgrade it (see Solution) and any dependent packages as well [4][5]. Solution: Select the updated source RPM appropriate for your OpenPKG release @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2005.008-bzip2.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Michael Schloh Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 06-Jun-2005 21:13:53 Branch: HEAD Handle: 2005060620135300 Added files: openpkg-web/securityOpenPKG-SA-2005.008-bzip2.txt Log: preliminary commit OpenPKG-SA-2005.008-bzip2 CAN-2005-0953 CAN-2005-1260, place hold on SA due to complex nature of patch code in several dependent packages as well as those with affected embedded bzip2 code Summary: RevisionChanges Path 1.1 +97 -0 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2005.008-bzip2.txt --- /dev/null 2005-06-06 21:13:53 +0200 +++ OpenPKG-SA-2005.008-bzip2.txt 2005-06-06 21:13:53 +0200 @@ -0,0 +1,97 @@ + + +OpenPKG Security AdvisoryThe OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2005.008 06-June-2005 + + +Package: bzip2 +Vulnerability: arbitrary file mode modification, denial of service +OpenPKG Specific:no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= bzip2-1.0.2-20050324 >= bzip2-1.0.3-20050506 + <= openpkg-20050527-20050527 >= openpkg-20050606-20050606 +OpenPKG 2.3 <= bzip2-1.0.2-2.3.0 >= bzip2-1.0.2-2.3.1 + <= openpkg-2.2.2-2.2.2 >= openpkg-2.2.3-2.2.3 +OpenPKG 2.2 <= bzip2-1.0.2-2.2.0 >= bzip2-1.0.2-2.2.1 + <= openpkg-2.3.1-2.3.1 >= openpkg-2.3.2-2.3.2 + +Affected Releases: Dependent Packages: +OpenPKG CURRENT apache::with_mod_php_bzip2 bsdtar clamav gnupg + imagemagick libarchive perl-comp perl-mail + pgpdump php::with_bzip2 php5::with_bzip2 + python::with_bzip2 r rzip +OpenPKG 2.3 apache::with_mod_php_bzip2 clamav gnupg imagemagick + perl-comp perl-mail php::with_bzip2 php5::with_bzip2 +OpenPKG 2.2 apache::with_mod_php_bzip2 clamav imagemagick + perl-comp perl-mail php::with_bzip2 + +Description: + According to a BugTraq posting [0], Imran Ghory discovered a time of + check time of use (TOCTOU) file mode vulnerability in the bzip2 data + compressor [1]. Because bzip2(1) does not safely restore the mode of + a file undergoing compression or decompression, a malicious user can + potentially change the mode of any file belonging to the user running + bzip2(1). The Common Vulnerabilities and Exposures (CVE) project + assigned the identifier CAN-2005-0953 [2] to this problem. + + In a unrelated case, a denial of service vulnerability was found + in both the bzip2(1) program and its associated library libbz2(3). + Specially crafted bzip2 archives lead to an infinite loop in the + decompressor which results in an indefinitively large output file. + This could be exploited to cause disk space exhaustion. The Common + Vulnerabilities and Exposures (CVE) project assigned the identifier + CAN-2005-1260 [3] to this problem. + + Please check whether you are affected by running "/bin/openpkg + rpm -q bzip2". If you have the "bzip2" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution) and any dependent packages as well [4][5]. + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror + location, verify its integrity [10], build a corresponding binary + RPM from it [4] and update your OpenPKG installation by applying the + binary RPM [5]. For the most recent release OpenPKG 2.3, perform the + following operations to permanently fix the security problem (for + other releases adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/2.3/UPD + ftp> get bzip2-1.0.2-2.3.1.src.rpm + ftp> bye + $ /bin/openpkg rpm -v --checksig bzip2-1.0.2-2.3.1.src.rpm + $ /bin/openpkg rpm --rebuild bzip2-1.0.2-2.3.1.src.rpm + $ su -
