From bressers at redhat.com Tue May 2 14:35:58 2006 From: bressers at redhat.com (Josh Bressers) Date: Tue, 02 May 2006 10:35:58 -0400 Subject: Fedora Security Response Team In-Reply-To: Your message of "Fri, 28 Apr 2006 16:15:19 EDT." <200604282015.k3SKFJkB029524@devserv.devel.redhat.com> Message-ID: <200605021435.k42EZwl3028462@devserv.devel.redhat.com> > > I need to fix up some CVS space for things like tools and tracking text > files. This repository is here: > http://cvs.fedora.redhat.com/viewcvs/fedora-security/?root=fedora I now have the ability to control who has commit access to this space, so we're in good shape here now. If you want to check this repository out anonymously you can do so as such: cvs -d :pserver:anonymous at cvs.fedora.redhat.com:/cvs/fedora \ co fedora-security The current plan is to create files called fe4 and fe5 to sit next to the fc4 and fc5 files in this location. The format of fc[45] is currently working, so I believe it's the correct way to go initially. Those of you interested in being a part of the security response team will need to send me your fedora account system username. I can then add access and provide further instructions. > > We will need a package manifest. Basically a file that tells us which > packages and versions we're currently shipping in extras. A tool to > generate this will also be needed since we'll want to update this file on a > regular basis. Given how fast Extras changes I think this will be the > easiest way to check if we currently ship package . There have been a few scripts that have been brought to my attention for this, unless someone else gets to it first, I'm going to create a "tools" directory in CVS and add such a script. > > Process needs to be documented on the fedoraproject wiki. Since we don't > currently have a process, this is the only thing done :) > The most important part of this will be making it easy to specify what we > expect of ourselves. I hope to have some time this weekend to clean up the > security wiki pages a bit. Sadly I didn't get to this over the weekend. I'll do what I can this week. At this point, there should be three primary focal points for the security response team. 1) Tracking new issues 2) Tracking old issues 3) Documentation #1 and #3 are entertaining tasks. #2 is going to be painful and horrible. I'm not sure how far back we should go in CVE space. I guess as far back as we can with people willing to do the work. These tasks do require a manifest, which we don't technically have yet, but should soon. Does this all sound sane to everyone else? Thanks. -- JB From jkeating at redhat.com Tue May 2 14:40:17 2006 From: jkeating at redhat.com (Jesse Keating) Date: Tue, 02 May 2006 10:40:17 -0400 Subject: Fedora Security Response Team In-Reply-To: <200605021435.k42EZwl3028462@devserv.devel.redhat.com> References: <200605021435.k42EZwl3028462@devserv.devel.redhat.com> Message-ID: <1146580817.10316.13.camel@dhcp83-49.boston.redhat.com> On Tue, 2006-05-02 at 10:35 -0400, Josh Bressers wrote: > Those of you interested in being a part of the security response team will > need to send me your fedora account system username. I can then add access > and provide further instructions. 'jkeating' is my username. Or it could be 'jkeating at redhat.com' not sure. Your plan does seem sane. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dennis at ausil.us Tue May 2 14:48:16 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Tue, 2 May 2006 09:48:16 -0500 Subject: Fedora Security Response Team In-Reply-To: <200605021435.k42EZwl3028462@devserv.devel.redhat.com> References: <200605021435.k42EZwl3028462@devserv.devel.redhat.com> Message-ID: <200605020948.17111.dennis@ausil.us> On Tuesday 02 May 2006 09:35, Josh Bressers wrote: > Those of you interested in being a part of the security response team will > need to send me your fedora account system username. I can then add access > and provide further instructions. ausil is my username > At this point, there should be three primary focal points for the security > response team. > > 1) Tracking new issues > 2) Tracking old issues > 3) Documentation > > #1 and #3 are entertaining tasks. #2 is going to be painful and horrible. > I'm not sure how far back we should go in CVE space. I guess as far back > as we can with people willing to do the work. These tasks do require a > manifest, which we don't technically have yet, but should soon. > > > Does this all sound sane to everyone else? > > Thanks. Sounds Sane to me -- Regards Dennis Gilmore, RHCE Proud Australian From bressers at redhat.com Tue May 2 20:35:34 2006 From: bressers at redhat.com (Josh Bressers) Date: Tue, 02 May 2006 16:35:34 -0400 Subject: Fedora Security Response Team In-Reply-To: Your message of "Tue, 02 May 2006 10:35:58 EDT." <200605021435.k42EZwl3028462@devserv.devel.redhat.com> Message-ID: <200605022035.k42KZY0k022249@devserv.devel.redhat.com> > > > > We will need a package manifest. Basically a file that tells us which > > packages and versions we're currently shipping in extras. A tool to > > generate this will also be needed since we'll want to update this file on a > > regular basis. Given how fast Extras changes I think this will be the > > easiest way to check if we currently ship package . > > There have been a few scripts that have been brought to my attention for > this, unless someone else gets to it first, I'm going to create a "tools" > directory in CVS and add such a script. I just added a script which was written by Jason L Tibbitts III (it was a bit help, thanks Jason). You can see it here if you wish: http://cvs.fedora.redhat.com/viewcvs/fedora-security/tools/?root=fedora Jason's original script relied on a local archive of things, this one grabs what it needs remotely. It's not the fastest thing ever, but it should be good enough for now. % ./package-release nmh Found package nmh in owners.list: Distro: Fedora Extras Desc: A mail handling system with a command line interface Owner: bressers at redhat.com CC: Releases and versions: 3 1.1 13.fc3 /pub/fedora/linux/extras/3/SRPMS/nmh-1.1-13.fc3.src.rpm 3 1.1 14.fc3 /pub/fedora/linux/extras/3/SRPMS/nmh-1.1-14.fc3.src.rpm 4 1.1 13.fc4 /pub/fedora/linux/extras/4/SRPMS/nmh-1.1-13.fc4.src.rpm 4 1.1 14.fc4 /pub/fedora/linux/extras/4/SRPMS/nmh-1.1-14.fc4.src.rpm 5 1.1 18.fc5 /pub/fedora/linux/extras/5/SRPMS/nmh-1.1-18.fc5.src.rpm dev 1.1 18.fc5 /pub/fedora/linux/extras/development/SRPMS/nmh-1.1-18.fc5.src.rpm -- JB From bressers at redhat.com Tue May 2 21:40:25 2006 From: bressers at redhat.com (Josh Bressers) Date: Tue, 02 May 2006 17:40:25 -0400 Subject: You are the Fedora Security Response Team Message-ID: <200605022140.k42LePkK012103@devserv.devel.redhat.com> Hello gang, right now the people in the "To" line are the Fedora Security Response Team (and me of course). I admit I don't know all of you terribly well, but that shall change in the near future. This initial startup work requires a leap of faith of sorts. If you fall silent for too long expect to get the boot. Here are the names to go with the email addresses. Chris Ricker Dennis Gilmore Jason L Tibbitts Jesse Keating You have commit access to the fedora-security CVS repository. DON'T SCREW IT UP! You can check it out here: cvs -d :ext:cvs.fedora.redhat.com:/cvs/fedora co fedora-security This repository currently consists of two directories, tools and audit. The tools directory is pretty self explanatory, I'll go into detail on the audit directory. The files named fe4 and fe5 are ours. The files named fc4 and fc5 are not. You do not have write access to them, we may someday. We are using a shared directory like this since it's expected this group will be able to help with issues in Core when it's opened up to the world. Look at the fc4 and fc5 files. That's the format we should have the fe4 and fe5 files in. If you have any questions, please let me know. I know this information isn't terribly clear. It shall be documented, but for now this is the easiest way to bootstrap this team. We should try to keep all conversations public on the fedora-security-list. We don't currently have a private list, we lack the ability to deal with embargo issues at this time, so I don't see a need for it. If anyone feels we need one, that discussion can be had. Sink or swim I guess :) -- JB From jstanton at vashonsd.org Wed May 3 17:21:22 2006 From: jstanton at vashonsd.org (John Stanton) Date: Wed, 3 May 2006 10:21:22 -0700 Subject: Am I on the right list Message-ID: <9E730E3116F3454F99334FA268A42254806C38@stu.vanguard.vashonsd.org> Hello all, This may sound silly, but I am trying to figure out if I am on the correct list. I want to keep up with any security notices and patch releases for Fedora (FC4 in particular). Have I subscribed to the right list? Lately, there seems to be a lot of talk about \extras. This isn't a flame, I'm just seeking confirmation that this is the place to be to track security issues for FC. Thanks! John -------------- next part -------------- An HTML attachment was scrubbed... URL: From bressers at redhat.com Wed May 3 17:48:49 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 03 May 2006 13:48:49 -0400 Subject: Am I on the right list In-Reply-To: Your message of "Wed, 03 May 2006 10:21:22 PDT." <9E730E3116F3454F99334FA268A42254806C38@stu.vanguard.vashonsd.org> Message-ID: <200605031748.k43Hmnee017552@devserv.devel.redhat.com> > > This may sound silly, but I am trying to figure out if I am on the > correct list. I want to keep up with any security notices and patch > releases for Fedora (FC4 in particular). Have I subscribed to the right > list? Lately, there seems to be a lot of talk about \extras. This isn't > a flame, I'm just seeking confirmation that this is the place to be to > track security issues for FC. John, The list you want is the fedora-package-announce list which you can subscribe to here: http://www.redhat.com/mailman/listinfo/fedora-package-announce This list is for the discussion of security issues. Thanks. -- JB From jkeating at redhat.com Wed May 3 20:45:50 2006 From: jkeating at redhat.com (Jesse Keating) Date: Wed, 03 May 2006 16:45:50 -0400 Subject: [Fwd: Re: [vendor-sec] nagios] Message-ID: <1146689150.1323.12.camel@yoda.loki.me> This is public. -------- Forwarded Message -------- From: Steven M. Christey To: Josh Bressers Cc: vendor-sec at lst.de, coley at mitre.org Subject: Re: [vendor-sec] nagios Date: Wed, 3 May 2006 16:28:36 -0400 (EDT) ====================================================== Name: CVE-2006-2162 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162 Reference: CONFIRM:https://sourceforge.net/mailarchive/forum.php?thread_id=10297806&forum_id=7890 Reference: CONFIRM:http://www.nagios.org/development/changelog.php Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. _______________________________________________ Vendor Security mailing list Vendor Security at lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: From jkeating at redhat.com Thu May 4 19:06:32 2006 From: jkeating at redhat.com (Jesse Keating) Date: Thu, 04 May 2006 15:06:32 -0400 Subject: Approved by the board Message-ID: <1146769592.29889.19.camel@dhcp83-49.boston.redhat.com> We're now approved by the FESCO board. So a few things we need to do, setup wiki space for the security response group/team/whatever, include in there policy about what we're doing. Then link to this policy from the Extras main page where appropriate. Step 3, profit! -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tibbs at math.uh.edu Thu May 4 20:17:58 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Thu, 04 May 2006 15:17:58 -0500 Subject: Approved by the board In-Reply-To: <1146769592.29889.19.camel@dhcp83-49.boston.redhat.com> (Jesse Keating's message of "Thu, 04 May 2006 15:06:32 -0400") References: <1146769592.29889.19.camel@dhcp83-49.boston.redhat.com> Message-ID: >>>>> "JK" == Jesse Keating writes: JK> We're now approved by the FESCO board. I had a couple of minutes during the meeting to start on http://fedoraproject.org/wiki/Extras/Security but I didn't get very far at all before I had to leave. If someone has something else in mind, feel free to just erase those pages. - J< From jimpop at yahoo.com Thu May 4 20:27:49 2006 From: jimpop at yahoo.com (Jim Popovitch) Date: Thu, 04 May 2006 16:27:49 -0400 Subject: Approved by the board In-Reply-To: <1146769592.29889.19.camel@dhcp83-49.boston.redhat.com> References: <1146769592.29889.19.camel@dhcp83-49.boston.redhat.com> Message-ID: <445A63C5.4000806@yahoo.com> Jesse Keating wrote: > We're now approved by the FESCO board. Cool, I like the Far East Shipping Company. I'm glad that they approve of us. :-) > So a few things we need to do, setup wiki space for the security > response group/team/whatever, include in there policy about what we're > doing. Then link to this policy from the Extras main page where > appropriate. I need to be certain about something. Does fedora-security provide coverage for Fedora Legacy (i.e. RH7.3, etc)? I want to, and can, contribute time/code/testing/etc, but I need to make sure that I have all my personal bases covered first. I hope that doesn't sound too selfish. I just have a need to keep a few RH73 secure and stable for a bit longer. > Step 3, profit! Is this a serious need? Donations? Thanks! -Jim P. From nman64 at n-man.com Thu May 4 20:34:28 2006 From: nman64 at n-man.com (Patrick W. Barnes) Date: Thu, 4 May 2006 15:34:28 -0500 Subject: Approved by the board In-Reply-To: References: <1146769592.29889.19.camel@dhcp83-49.boston.redhat.com> Message-ID: <200605041534.31427.nman64@n-man.com> On Thursday 04 May 2006 15:17, Jason L Tibbitts III wrote: > >>>>> "JK" == Jesse Keating writes: > > JK> We're now approved by the FESCO board. > > I had a couple of minutes during the meeting to start on > http://fedoraproject.org/wiki/Extras/Security but I didn't get very > far at all before I had to leave. If someone has something else in > mind, feel free to just erase those pages. > I would encourage building under http://fedoraproject.org/wiki/Security instead. This isn't dedicated exclusively to Extras, and may eventually encompass other areas of the Fedora Project. Besides, links already exist to that location, so you've got a bit of a head start in publicizing it. -- Patrick "The N-Man" Barnes nman64 at n-man.com http://www.n-man.com/ LinkedIn: http://www.linkedin.com/in/nman64 Have I been helpful? Rate my assistance! http://rate.affero.net/nman64/ -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From jkeating at redhat.com Thu May 4 20:39:00 2006 From: jkeating at redhat.com (Jesse Keating) Date: Thu, 04 May 2006 16:39:00 -0400 Subject: Approved by the board In-Reply-To: <445A63C5.4000806@yahoo.com> References: <1146769592.29889.19.camel@dhcp83-49.boston.redhat.com> <445A63C5.4000806@yahoo.com> Message-ID: <1146775140.29889.32.camel@dhcp83-49.boston.redhat.com> On Thu, 2006-05-04 at 16:27 -0400, Jim Popovitch wrote: > > I need to be certain about something. Does fedora-security provide > coverage for Fedora Legacy (i.e. RH7.3, etc)? I want to, and can, > contribute time/code/testing/etc, but I need to make sure that I have > all my personal bases covered first. I hope that doesn't sound too > selfish. I just have a need to keep a few RH73 secure and stable for > a > bit longer. So there isn't any reason why The Fedora Security Response Team or whatever couldn't work with Legacy. We'll need to talk more about integrating the two projects though. > > Step 3, profit! > > Is this a serious need? Donations? No, it's a joke. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From smooge at gmail.com Thu May 4 20:46:17 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Thu, 4 May 2006 14:46:17 -0600 Subject: Approved by the board In-Reply-To: <1146775140.29889.32.camel@dhcp83-49.boston.redhat.com> References: <1146769592.29889.19.camel@dhcp83-49.boston.redhat.com> <445A63C5.4000806@yahoo.com> <1146775140.29889.32.camel@dhcp83-49.boston.redhat.com> Message-ID: <80d7e4090605041346m120b08d9j71f9b3cc131749ff@mail.gmail.com> On 5/4/06, Jesse Keating wrote: > On Thu, 2006-05-04 at 16:27 -0400, Jim Popovitch wrote: > > > > I need to be certain about something. Does fedora-security provide > > coverage for Fedora Legacy (i.e. RH7.3, etc)? I want to, and can, > > contribute time/code/testing/etc, but I need to make sure that I have > > all my personal bases covered first. I hope that doesn't sound too > > selfish. I just have a need to keep a few RH73 secure and stable for > > a > > bit longer. > > So there isn't any reason why The Fedora Security Response Team or > whatever couldn't work with Legacy. We'll need to talk more about > integrating the two projects though. > > > > Step 3, profit! > > > > Is this a serious need? Donations? > > No, it's a joke. > > -- Hey it is for me. I would love to be able to do this from home via donations.. I would even do crappy stick figure comics as a value added feature. -- Stephen J Smoogen. CSIRT/Linux System Administrator From tibbs at math.uh.edu Fri May 5 15:05:36 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Fri, 05 May 2006 10:05:36 -0500 Subject: Hints for working with CVEs? Message-ID: Does anyone have any notes for dealing with the CVE lists? I know the main access page is http://www.cve.mitre.org/cve/, but all you can do is download the whole list or do a text search. (And the whole list in plain text is 15MB.) I see that someone at Purdue offers change lists, but the format is not terribly useful (just the numbers of the changed entries). Are there any tools that can extract useful summaries of this data that we could use? Even number and summary would be helpful. For example, I know there's a recent clamav vulnerability that affects Extras. Now, I can search to find out that it's CVE-2006-1989. I know Enrico pushed 0.88.2 on May 2 so we're not vulnerable. But, how would I have seen the CVE without knowing it existed? Click on every link in the daily changelogs and manually read the description? There has to be a more efficient way. BTW, what would be the format of the line to add to the fe4 and fe5 files for this? CVE-2006-1989 version (clamav, fixed 0.88.2) (no bug number, no announcement obviously) - J< From dennis at ausil.us Fri May 5 15:28:09 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Fri, 5 May 2006 10:28:09 -0500 Subject: Hints for working with CVEs? In-Reply-To: References: Message-ID: <200605051028.09697.dennis@ausil.us> On Friday 05 May 2006 10:05, Jason L Tibbitts III wrote: > For example, I know there's a recent clamav vulnerability that affects > Extras. Now, I can search to find out that it's CVE-2006-1989. I > know Enrico pushed 0.88.2 on May 2 so we're not vulnerable. > > But, how would I have seen the CVE without knowing it existed? Click > on every link in the daily changelogs and manually read the > description? There has to be a more efficient way. > > BTW, what would be the format of the line to add to the fe4 and fe5 > files for this? > > CVE-2006-1989 version (clamav, fixed 0.88.2) > > (no bug number, no announcement obviously) > > - J< > When i saw this on bugtraq i first searched bugzilla. which had no bug filled. I then checked the repo to see if packages were updated. which they were not at that time. I then checked the fedora-extras-commits to see if there was something there. and the updates had been commited. My question is should I have filed a bug anyway so that we have a public record that the issue had been fixed? -- Regards Dennis Gilmore, RHCE Proud Australian From tibbs at math.uh.edu Fri May 5 15:35:26 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Fri, 05 May 2006 10:35:26 -0500 Subject: Hints for working with CVEs? In-Reply-To: <200605051028.09697.dennis@ausil.us> (Dennis Gilmore's message of "Fri, 5 May 2006 10:28:09 -0500") References: <200605051028.09697.dennis@ausil.us> Message-ID: >>>>> "DG" == Dennis Gilmore writes: DG> My question is should I have filed a bug anyway so that we have a DG> public record that the issue had been fixed? I think that there's no point in filing bugs about things which have already been fixed, especially now when we're just getting started. However, if the fixed package is not at your local mirror then you should definitely open a ticket. The fact that changes had been committed doesn't mean that a build was requested, or that it has succeeded. The packager may be unable to request builds for whatever reason (which has happened before with clamav; I ended up doing it). The package could even be built and sitting in the queue awaiting someone with the signing key to do their thing. (In the latter case, we should ping the list of package signers, the name of which I have now forgotten but which needs to get into the wiki ASAP.) - J< From bressers at redhat.com Fri May 5 17:42:53 2006 From: bressers at redhat.com (Josh Bressers) Date: Fri, 05 May 2006 13:42:53 -0400 Subject: Hints for working with CVEs? In-Reply-To: Your message of "Fri, 05 May 2006 10:05:36 CDT." Message-ID: <200605051742.k45HgrKZ001443@devserv.devel.redhat.com> > Does anyone have any notes for dealing with the CVE lists? I know the > main access page is http://www.cve.mitre.org/cve/, but all you can do > is download the whole list or do a text search. (And the whole list > in plain text is 15MB.) I see that someone at Purdue offers change > lists, but the format is not terribly useful (just the numbers of the > changed entries). > > Are there any tools that can extract useful summaries of this data > that we could use? Even number and summary would be helpful. > > For example, I know there's a recent clamav vulnerability that affects > Extras. Now, I can search to find out that it's CVE-2006-1989. I > know Enrico pushed 0.88.2 on May 2 so we're not vulnerable. > > But, how would I have seen the CVE without knowing it existed? Click > on every link in the daily changelogs and manually read the > description? There has to be a more efficient way. Nothing officially exists to do this. I've been meaning to write one for quite some time. NIST has something similar to what you're looking for here: http://nvd.nist.gov/ > > BTW, what would be the format of the line to add to the fe4 and fe5 > files for this? > > CVE-2006-1989 version (clamav, fixed 0.88.2) This is correct, yes. -- JB From bressers at redhat.com Fri May 5 17:45:22 2006 From: bressers at redhat.com (Josh Bressers) Date: Fri, 05 May 2006 13:45:22 -0400 Subject: Hints for working with CVEs? In-Reply-To: Your message of "Fri, 05 May 2006 10:35:26 CDT." Message-ID: <200605051745.k45HjM2U002447@devserv.devel.redhat.com> > >>>>> "DG" == Dennis Gilmore writes: > > DG> My question is should I have filed a bug anyway so that we have a > DG> public record that the issue had been fixed? > > I think that there's no point in filing bugs about things which have > already been fixed, especially now when we're just getting started. > However, if the fixed package is not at your local mirror then you > should definitely open a ticket. > > The fact that changes had been committed doesn't mean that a build was > requested, or that it has succeeded. This is a time the package-release tool can come in handy. It will tell you which versions of a package are available (not what's in CVS). I modified the tool last night to support fuzzy matching, so if I run 'package-release perl' I get a list of all packages with 'perl' in their name. -- JB From tibbs at math.uh.edu Fri May 5 17:51:17 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Fri, 05 May 2006 12:51:17 -0500 Subject: Hints for working with CVEs? In-Reply-To: <200605051742.k45HgrKZ001443@devserv.devel.redhat.com> (Josh Bressers's message of "Fri, 05 May 2006 13:42:53 -0400") References: <200605051742.k45HgrKZ001443@devserv.devel.redhat.com> Message-ID: >>>>> "JB" == Josh Bressers writes: JB> Nothing officially exists to do this. I've been meaning to write JB> one for quite some time. NIST has something similar to what JB> you're looking for here: http://nvd.nist.gov/ The small http://nvd.nist.gov/download/nvdcve-recent.xml file looks reasonable; it's small, goes back a week or so, and should be easy to parse. Unfortunately I've not done XML parsing before so it would take me a bit of time ti figure something out. JB> This is correct, yes. Thanks; I checked it in. Is there any particular format used for the cvs commit log? - J< From tibbs at math.uh.edu Fri May 5 18:00:31 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Fri, 05 May 2006 13:00:31 -0500 Subject: Hints for working with CVEs? In-Reply-To: <200605051745.k45HjM2U002447@devserv.devel.redhat.com> (Josh Bressers's message of "Fri, 05 May 2006 13:45:22 -0400") References: <200605051745.k45HjM2U002447@devserv.devel.redhat.com> Message-ID: >>>>> "JB" == Josh Bressers writes: JB> This is a time the package-release tool can come in handy. It's also useful to check the completed package list in the build system: http://buildsys.fedoraproject.org/build-status/success.psp If you see that a security-issue-fixing package has been built but wasn't on the last package push announcement then you should bug the signers. - J< From ville.skytta at iki.fi Sat May 6 09:12:04 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Sat, 06 May 2006 12:12:04 +0300 Subject: Hints for working with CVEs? In-Reply-To: References: <200605051742.k45HgrKZ001443@devserv.devel.redhat.com> Message-ID: <1146906724.5802.226.camel@localhost.localdomain> On Fri, 2006-05-05 at 12:51 -0500, Jason L Tibbitts III wrote: > The small http://nvd.nist.gov/download/nvdcve-recent.xml file looks > reasonable; it's small, goes back a week or so, and should be easy to > parse. What kind of things would you like to produce out of that? They have a XML Schema available for the XML, which can be used to generate code for various languages. On the other hand, if the intention is to just transform that into a human friendlier format (HTML, plain text), doing that with XSLT would be pretty easy. From ville.skytta at iki.fi Sat May 6 09:37:44 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Sat, 06 May 2006 12:37:44 +0300 Subject: Issues with no CVE number Message-ID: <1146908264.5802.236.camel@localhost.localdomain> Are security issues that don't have a CVE number tracked somewhere? Some issues may not have it by the time they're disclosed and I guess there are ones that for whatever reason don't have and aren't going to get one. If they're tracked in the usual audit/* files, what's the preferred format for them? By the way, if more help is needed, feel free to add me (scop) rights to commit to the fe[45] files. From tibbs at math.uh.edu Sat May 6 14:33:50 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Sat, 06 May 2006 09:33:50 -0500 Subject: Hints for working with CVEs? In-Reply-To: <1146906724.5802.226.camel@localhost.localdomain> (Ville Skytt's message of "Sat, 06 May 2006 12:12:04 +0300") References: <200605051742.k45HgrKZ001443@devserv.devel.redhat.com> <1146906724.5802.226.camel@localhost.localdomain> Message-ID: >>>>> "VS" == Ville Skytt writes: VS> What kind of things would you like to produce out of that? A couple of ideas: Produce a simple summary with one or two lines of text per entry that could be scanned quickly by a human. Fuzzy match the "prod name" against our list of packages. Also use the "vers" tags and the guts of our existing package-releases script to see if we're vulnerable. Unfortunately my knowledge of XML is so limited that I don't understand how you'd use the schema to generate a parser, but I'll try to figure that out. - J< From bressers at redhat.com Sat May 6 15:37:06 2006 From: bressers at redhat.com (Josh Bressers) Date: Sat, 06 May 2006 11:37:06 -0400 Subject: Issues with no CVE number In-Reply-To: Your message of "Sat, 06 May 2006 12:37:44 +0300." <1146908264.5802.236.camel@localhost.localdomain> Message-ID: <200605061537.k46Fb6m9017800@devserv.devel.redhat.com> > Are security issues that don't have a CVE number tracked somewhere? > Some issues may not have it by the time they're disclosed and I guess > there are ones that for whatever reason don't have and aren't going to > get one. If they're tracked in the usual audit/* files, what's the > preferred format for them? Put something along the lines of CVE-NOID as the ID so we know it needs help (be sure to file a bug so we know what the issue is). Anything we track in the audit files should have a CVE id. Anything that doesn't have one right away will get one. You can mail cve at mitre.org with pointers at new security issues and they should assign an ID. For anything that is not public, feel free to let me know and I can assign a CVE id from Red Hat's pool (remember if you mail this list, the issue becomes public if it wasn't before). > > By the way, if more help is needed, feel free to add me (scop) rights to > commit to the fe[45] files. At this point in time, all help is welcome, you have access. Once we get things moving along, we'll have to think about how assigning access should work, as 'whoever I think should be a member' probably isn't a suitable long term solution :) -- JB From ville.skytta at iki.fi Sat May 6 16:45:55 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Sat, 06 May 2006 19:45:55 +0300 Subject: Hints for working with CVEs? In-Reply-To: References: <200605051742.k45HgrKZ001443@devserv.devel.redhat.com> <1146906724.5802.226.camel@localhost.localdomain> Message-ID: <1146933956.2735.10.camel@localhost.localdomain> On Sat, 2006-05-06 at 09:33 -0500, Jason L Tibbitts III wrote: > >>>>> "VS" == Ville Skytt writes: > > VS> What kind of things would you like to produce out of that? > > A couple of ideas: > > Produce a simple summary with one or two lines of text per entry that > could be scanned quickly by a human. That sounds like something that could be done with XSLT. See attachment for a _really_ simple XSL, and run it like: xsltproc nvdcve-recent.xsl http://nvd.nist.gov/download/nvdcve-recent.xml > Unfortunately my knowledge of XML is so limited that I don't understand > how you'd use the schema to generate a parser, but I'll try to figure > that out. Here's some pointers: Java: http://xmlbeans.apache.org/ C++: http://codesynthesis.com/projects/xsd/ Python: http://www.rexx.com/~dkuhlman/generateDS.html I've only used XMLBeans myself, the rest were found by quick Googling. There are probably similar things available for other languages too. -------------- next part -------------- A non-text attachment was scrubbed... Name: nvdcve-recent.xsl Type: application/xslt+xml Size: 348 bytes Desc: not available URL: From ville.skytta at iki.fi Sat May 6 17:33:20 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Sat, 06 May 2006 20:33:20 +0300 Subject: Issues with no CVE number In-Reply-To: <200605061537.k46Fb6m9017800@devserv.devel.redhat.com> References: <200605061537.k46Fb6m9017800@devserv.devel.redhat.com> Message-ID: <1146936800.2735.17.camel@localhost.localdomain> On Sat, 2006-05-06 at 11:37 -0400, Josh Bressers wrote: > > Are security issues that don't have a CVE number tracked somewhere? > > Some issues may not have it by the time they're disclosed and I guess > > there are ones that for whatever reason don't have and aren't going to > > get one. If they're tracked in the usual audit/* files, what's the > > preferred format for them? > > Put something along the lines of CVE-NOID as the ID so we know it needs > help (be sure to file a bug so we know what the issue is). Ok, done. > You can mail cve at mitre.org with pointers at > new security issues and they should assign an ID. Done for the awstats issue, no response yet. From bressers at redhat.com Sat May 6 19:11:25 2006 From: bressers at redhat.com (Josh Bressers) Date: Sat, 06 May 2006 15:11:25 -0400 Subject: Issues with no CVE number In-Reply-To: Your message of "Sat, 06 May 2006 20:33:20 +0300." <1146936800.2735.17.camel@localhost.localdomain> Message-ID: <200605061911.k46JBPt2021311@devserv.devel.redhat.com> > > > You can mail cve at mitre.org with pointers at > > new security issues and they should assign an ID. > > Done for the awstats issue, no response yet. You'll need patience when you mail MITRE. They are very busy and do get to everything. It sometimes will take a day or two though. -- JB From ville.skytta at iki.fi Sat May 6 19:19:05 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Sat, 06 May 2006 22:19:05 +0300 Subject: Issues with no CVE number In-Reply-To: <200605061911.k46JBPt2021311@devserv.devel.redhat.com> References: <200605061911.k46JBPt2021311@devserv.devel.redhat.com> Message-ID: <1146943145.2735.38.camel@localhost.localdomain> On Sat, 2006-05-06 at 15:11 -0400, Josh Bressers wrote: > > > > > You can mail cve at mitre.org with pointers at > > > new security issues and they should assign an ID. > > > > Done for the awstats issue, no response yet. > > You'll need patience when you mail MITRE. They are very busy and do get to > everything. It sometimes will take a day or two though. Yep, I guessed that, but thought I'd keep others on this list explicitly up to date. Will add the CVE id's in CVS and Bugzilla when I have them unless someone beats me to it. From bressers at redhat.com Mon May 8 19:42:41 2006 From: bressers at redhat.com (Josh Bressers) Date: Mon, 08 May 2006 15:42:41 -0400 Subject: Approved by the board In-Reply-To: Your message of "Thu, 04 May 2006 15:06:32 EDT." <1146769592.29889.19.camel@dhcp83-49.boston.redhat.com> Message-ID: <200605081942.k48Jgfln020630@devserv.devel.redhat.com> > > We're now approved by the FESCO board. > > So a few things we need to do, setup wiki space for the security > response group/team/whatever, include in there policy about what we're > doing. Then link to this policy from the Extras main page where > appropriate. > > Step 3, profit! Jesse, Thanks for the update. Do you know if there is a preference as to the namespace we use for our policies and procedures in the wiki (I have no desire to anger anyone by just making things up)? The end of last week was terribly busy for me so I've still not gotten to start writing documentation :( I do see people have been adding things to the fe4/5 files. If anyone has any suggestions on how to improve the logging format, please let me know. Nothing is written in stone. -- JB From jkeating at redhat.com Mon May 8 19:48:50 2006 From: jkeating at redhat.com (Jesse Keating) Date: Mon, 08 May 2006 15:48:50 -0400 Subject: Approved by the board In-Reply-To: <200605081942.k48Jgfln020630@devserv.devel.redhat.com> References: <200605081942.k48Jgfln020630@devserv.devel.redhat.com> Message-ID: <1147117730.8821.49.camel@dhcp83-49.boston.redhat.com> On Mon, 2006-05-08 at 15:42 -0400, Josh Bressers wrote: > Thanks for the update. Do you know if there is a preference as to the > namespace we use for our policies and procedures in the wiki (I have no > desire to anger anyone by just making things up)? I don't think there is anything really. I'd say /Security as its own namespace, and other projects can point to it, bet included in int, reference it etc.. We want the project to grow to be larger than just Extras, so might as well start w/ the more global approach. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tibbs at math.uh.edu Mon May 8 20:27:39 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Mon, 08 May 2006 15:27:39 -0500 Subject: Approved by the board In-Reply-To: <1147117730.8821.49.camel@dhcp83-49.boston.redhat.com> (Jesse Keating's message of "Mon, 08 May 2006 15:48:50 -0400") References: <200605081942.k48Jgfln020630@devserv.devel.redhat.com> <1147117730.8821.49.camel@dhcp83-49.boston.redhat.com> Message-ID: >>>>> "JK" == Jesse Keating writes: JK> I don't think there is anything really. I'd say /Security as its JK> own namespace, and other projects can point to it, bet included in JK> int, reference it etc. I had started under Extras, but I didn't add much stuff so someone should feel free to move or delete it as necessary. - J< From kaboom at oobleck.net Mon May 8 20:31:57 2006 From: kaboom at oobleck.net (Chris Ricker) Date: Mon, 8 May 2006 16:31:57 -0400 (EDT) Subject: CVE-2006 entries added Message-ID: FYI, I did a very simple and dumb (my specialty!) comparison of all the packages in the FE5 CVS tree with the CVE-2006-* database A couple of the packages I don't have time to enter right now (seamonkey being the real biggie) but for the ones I had time to get to, I've updated the fe4 and fe5 lists in CVS and filed bugzillas for a couple of packages that appear to have unresolved vulnerabilities. Overall Fedora Extras looked pretty good.... Packages which at least match between FE4 / FE5 and CVE-2006* that I've not looked into fully yet: bsd-games clamav nethack seamonkey wine I'll get to them later in the week Do people see a need to extend this back any further, or is CVE-2006 a good line to draw as a beginning for when we track CVE? later, chris From tibbs at math.uh.edu Mon May 8 22:11:18 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Mon, 08 May 2006 17:11:18 -0500 Subject: CVE-2006 entries added In-Reply-To: (Chris Ricker's message of "Mon, 8 May 2006 16:31:57 -0400 (EDT)") References: Message-ID: >>>>> "CR" == Chris Ricker writes: CR> bsd-games I know the package owner did a lot of work on this package to minimize security issues; I'm pretty sure it didn't make it into the repo with any known problems. CR> clamav I think all known issues are solved with the latest update (unless any new ones have come in in the past week. CR> nethack Same issue as with bsd-games. CR> Do people see a need to extend this back any further, or is CR> CVE-2006 a good line to draw as a beginning for when we track CVE? It's a good an arbitrary point as any, I suppose. Perhaps half-way back through 2005 would be more complete, but I don't know if it would be worth the valuable time of a volunteer. - J< From ville.skytta at iki.fi Tue May 9 06:44:49 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Tue, 09 May 2006 09:44:49 +0300 Subject: CVE-2006 entries added In-Reply-To: References: Message-ID: <1147157089.23498.75.camel@localhost.localdomain> On Mon, 2006-05-08 at 17:11 -0500, Jason L Tibbitts III wrote: > >>>>> "CR" == Chris Ricker writes: > > CR> bsd-games > > I know the package owner did a lot of work on this package to minimize > security issues; I'm pretty sure it didn't make it into the repo with > any known problems. IIRC the problem was in sail, and I checked during the review that the fix was in (as part of the patch borrowed from Debian). So unless it was dropped later for some reason, I believe this is ok. From lmacken at redhat.com Tue May 9 21:34:47 2006 From: lmacken at redhat.com (Luke Macken) Date: Tue, 9 May 2006 17:34:47 -0400 Subject: CVE-2006 entries added In-Reply-To: References: Message-ID: <20060509213447.GA8428@tomservo.boston.redhat.com> On Mon, May 08, 2006 at 05:11:18PM -0500, Jason L Tibbitts III wrote: > CR> nethack > > Same issue as with bsd-games. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187353 This ball is in my court. As mentioned in the bug report, this issue only applies when users are a part of the 'games' group. As far as I know, this issue has not been fixed anywhere (even in gentoo where it is actually a real issue, since people are encouraged to join the 'games' group). luke From deisenst at gtw.net Wed May 10 13:11:08 2006 From: deisenst at gtw.net (David Eisenstein) Date: Wed, 10 May 2006 08:11:08 -0500 Subject: Fedora Security Response Team In-Reply-To: <200605021435.k42EZwl3028462@devserv.devel.redhat.com> References: <200605021435.k42EZwl3028462@devserv.devel.redhat.com> Message-ID: <4461E66C.3000805@gtw.net> Josh Bressers wrote: > The current plan is to create files called fe4 and fe5 to sit next to the > fc4 and fc5 files in this location. The format of fc[45] is currently > working, so I believe it's the correct way to go initially. So is there a problem with creating and/or adding fc{3,2,1} rhl{7,9} files here as well to track CVE issues with you all for Fedora Legacy issues? If it's not a problem, I am wondering if any of you have any thoughts or suggestions on how to go about generating such lists? > > Those of you interested in being a part of the security response team will > need to send me your fedora account system username. I can then add access > and provide further instructions. Probably would be a good idea to add me as well, if you don't mind, Josh, since Fedora Legacy *is* security and critical updates to older distros. That's all I and other Fedora Legacy workers do. My fedora account system username is uh, "questor", . Thanks. > > > > At this point, there should be three primary focal points for the security > response team. > > 1) Tracking new issues > 2) Tracking old issues > 3) Documentation > > #1 and #3 are entertaining tasks. #2 is going to be painful and horrible. > I'm not sure how far back we should go in CVE space. I guess as far back > as we can with people willing to do the work. These tasks do require a > manifest, which we don't technically have yet, but should soon. Um ... since we've never started a list for Fedora Legacy for all the CVE's that ever existed (or at least since the Fedora Legacy project has existed), is the creation and maintenance of these going to be torturous and cumbersome? Legacy tends to work on issues by sets of related CVE #s, opening one Legacy Bugzilla ticket per .src.rpm package (or related packages) to handle all the distros that a given (set of) CVE's address for that (those) package(s). We also use package codes in the "Status Whiteboard" to indicate which distros for a given package are affected by those CVE's. We therefore tend to ignore the actual version tag at the top of a Bugzilla report (often setting it to the legacy-specific value "unspecified") unless a vulnerability only affects one of the 5 distros we maintain. Due to this way of working with bugs, and to reduce duplication, my temptation is to suggest that, if legacy may also maintain CVE status file(s) there in CVS, for legacy's use, we just use one file (maybe name it 'legacy'?) with all the CVE entries, and mark each individual CVE line for which particular distros that CVE affects (or at least seems to affect). Doing this in lieu of maintaining 5 separate files with 5 separate copies of all the CVE numbers would seem to be a big labor-saver. What do you think, Jesse? Or anyone else? Putting together a fairly complete list of all the CVE's and all the packages that are vulnerable or fixed by all of these CVE's ... ugh, it indeed sounds like a horrible task! Are there any plans or thoughts to have something like "security days" whereby a bunch of us folks can get together and do the work while yakking it up on an IRC channel, making the process at least potentially a *little* more fun, and making it possible for us to get to know one another better? > Does this all sound sane to everyone else? Everything sounds sane to me, Josh. Thanks for taking the ball and running with it in getting this stuff going. :-) Warm regards, David Eisenstein From c438421 at twinkie.homedns.org Wed May 10 13:11:36 2006 From: c438421 at twinkie.homedns.org (Dave Eisenstein) Date: Wed, 10 May 2006 08:11:36 -0500 Subject: Fedora Security Response Team In-Reply-To: <200605022035.k42KZY0k022249@devserv.devel.redhat.com> References: <200605022035.k42KZY0k022249@devserv.devel.redhat.com> Message-ID: <4461E688.8060803@twinkie.homedns.org> Josh Bressers wrote: > I just added a script which was written by Jason L Tibbitts III (it was a > bit help, thanks Jason). You can see it here if you wish: > http://cvs.fedora.redhat.com/viewcvs/fedora-security/tools/?root=fedora > > Jason's original script relied on a local archive of things, this one grabs > what it needs remotely. It's not the fastest thing ever, but it should be > good enough for now. > > % ./package-release nmh > Found package nmh in owners.list: > <> > 5 1.1 18.fc5 /pub/fedora/linux/extras/5/SRPMS/nmh-1.1-18.fc5.src.rpm > dev 1.1 18.fc5 /pub/fedora/linux/extras/development/SRPMS/nmh-1.1-18.fc5.src.rpm > SO how hard would it be to re-tool this script to look up things in legacy's repositories? (I haven't yet looked at the script in detail...) -David From bressers at redhat.com Wed May 10 13:39:27 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 10 May 2006 09:39:27 -0400 Subject: Fedora Security Response Team In-Reply-To: Your message of "Wed, 10 May 2006 08:11:36 CDT." <4461E688.8060803@twinkie.homedns.org> Message-ID: <200605101339.k4ADdR6M025948@devserv.devel.redhat.com> > Josh Bressers wrote: > > I just added a script which was written by Jason L Tibbitts III (it was a > > bit help, thanks Jason). You can see it here if you wish: > > http://cvs.fedora.redhat.com/viewcvs/fedora-security/tools/?root=fedora > > > > Jason's original script relied on a local archive of things, this one grabs > > what it needs remotely. It's not the fastest thing ever, but it should be > > good enough for now. > > > > % ./package-release nmh > > Found package nmh in owners.list: > > <> > > 5 1.1 18.fc5 /pub/fedora/linux/extras/5/SRPMS/nmh-1.1-18.fc5.src.rpm > > dev 1.1 18.fc5 /pub/fedora/linux/extras/development/SRPMS/nmh-1.1-18.fc5.src.rpm > > > > SO how hard would it be to re-tool this script to look up things in legacy's > repositories? (I haven't yet looked at the script in detail...) It shouldn't be too hard. The bit where the file is displayed is sucked off an ftp server. -- JB From tibbs at math.uh.edu Wed May 10 13:40:52 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 10 May 2006 08:40:52 -0500 Subject: Fedora Security Response Team In-Reply-To: <4461E688.8060803@twinkie.homedns.org> (Dave Eisenstein's message of "Wed, 10 May 2006 08:11:36 -0500") References: <200605022035.k42KZY0k022249@devserv.devel.redhat.com> <4461E688.8060803@twinkie.homedns.org> Message-ID: >>>>> "DE" == Dave Eisenstein writes: DE> SO how hard would it be to re-tool this script to look up things DE> in legacy's repositories? There's not much to it, but it does extract information from the owners.list file which wouldn't make much sense for Legacy (or Core, for that matter). Without that you're basically looking through directories for files with the right name. DE> (I haven't yet looked at the script in detail...) It's now on the order of 100 lines of perl after making everything talk over the network to the FTP servers; nothing huge. - J< From bressers at redhat.com Wed May 10 14:00:21 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 10 May 2006 10:00:21 -0400 Subject: Fedora Security Response Team In-Reply-To: Your message of "Wed, 10 May 2006 08:11:08 CDT." <4461E66C.3000805@gtw.net> Message-ID: <200605101400.k4AE0LWx000832@devserv.devel.redhat.com> > > So is there a problem with creating and/or adding fc{3,2,1} rhl{7,9} files > here as well to track CVE issues with you all for Fedora Legacy issues? > > If it's not a problem, I am wondering if any of you have any thoughts or > suggestions on how to go about generating such lists? If you have the information captured in bugzilla you may be able to extract it from there. The descriptions MITRE provides for issues is prose, so there isn't really a nice way to get what you need from there. I have no complaints about tracking the Fedora Legacy distributions in CVS. I think keeping things close together is wise. If we are tracking this many distributions though, perhaps one file for each is not the right way to go. Perhaps some thought and discussion is warranted. > > Probably would be a good idea to add me as well, if you don't mind, Josh, > since Fedora Legacy *is* security and critical updates to older distros. > That's all I and other Fedora Legacy workers do. My fedora account system > username is uh, "questor", . Thanks. Done. > > > > > > > > > At this point, there should be three primary focal points for the security > > response team. > > > > 1) Tracking new issues > > 2) Tracking old issues > > 3) Documentation > > > > #1 and #3 are entertaining tasks. #2 is going to be painful and horrible. > > I'm not sure how far back we should go in CVE space. I guess as far back > > as we can with people willing to do the work. These tasks do require a > > manifest, which we don't technically have yet, but should soon. > > Um ... since we've never started a list for Fedora Legacy for all the CVE's > that ever existed (or at least since the Fedora Legacy project has existed), > is the creation and maintenance of these going to be torturous and cumbersome? The creation is painful as there are literally tens of thousands of CVE ids per year. Once you're caught up things aren't as bad since the ids are just a constant trickle of information. > > Putting together a fairly complete list of all the CVE's and all the > packages that are vulnerable or fixed by all of these CVE's ... ugh, it > indeed sounds like a horrible task! Are there any plans or thoughts to have > something like "security days" whereby a bunch of us folks can get together > and do the work while yakking it up on an IRC channel, making the process at > least potentially a *little* more fun, and making it possible for us to get > to know one another better? This isn't a half bad idea (what do others think?). At the very least perhaps an IRC channel is in order. I see #fedora-security already exists on Freenode, no doubt just for this purpose :) -- JB From dennis at ausil.us Wed May 10 15:04:51 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Wed, 10 May 2006 10:04:51 -0500 Subject: Fedora Security Response Team In-Reply-To: <200605101400.k4AE0LWx000832@devserv.devel.redhat.com> References: <200605101400.k4AE0LWx000832@devserv.devel.redhat.com> Message-ID: <200605101004.51912.dennis@ausil.us> On Wednesday 10 May 2006 09:00, Josh Bressers wrote: > > So is there a problem with creating and/or adding fc{3,2,1} rhl{7,9} > > files here as well to track CVE issues with you all for Fedora Legacy > > issues? > > > > If it's not a problem, I am wondering if any of you have any thoughts or > > suggestions on how to go about generating such lists? > > If you have the information captured in bugzilla you may be able to extract > it from there. The descriptions MITRE provides for issues is prose, so > there isn't really a nice way to get what you need from there. a simple perl script should be able to extract the info from the bugzilla database and insert it into a text file. I did something kinda similar but in reverse i extracted the component info from Fedora's describe components page and inserted into Aurora's bugzilla database. it saved much typing. > I have no complaints about tracking the Fedora Legacy distributions in CVS. > I think keeping things close together is wise. If we are tracking this > many distributions though, perhaps one file for each is not the right way > to go. Perhaps some thought and discussion is warranted. I think we should track Legacy here. It serves the ultimate goal of having one central location for Fedora Security. I see 3 ways to track the info 1) as we are one file per release perhaps merging extras and core into one file. (not now but later) 2) use one file per CVE. has alot of files but you could have in it each effected release 3) Time based rotation of files. List in a similar manner to currently done but add the releases effected to the end and rotate files each month/quarter/half year/full year > > > > Um ... since we've never started a list for Fedora Legacy for all the > > CVE's that ever existed (or at least since the Fedora Legacy project has > > existed), is the creation and maintenance of these going to be torturous > > and cumbersome? > > The creation is painful as there are literally tens of thousands of CVE ids > per year. Once you're caught up things aren't as bad since the ids are > just a constant trickle of information. Back tracking will be extremly painful. and the further forward we move the less neccesary it will become. for instance once Legacy drops FC1 supprot there wont be much concern if older security ises were resolved or not. > > Putting together a fairly complete list of all the CVE's and all the > > packages that are vulnerable or fixed by all of these CVE's ... ugh, it > > indeed sounds like a horrible task! Are there any plans or thoughts to > > have something like "security days" whereby a bunch of us folks can get > > together and do the work while yakking it up on an IRC channel, making > > the process at least potentially a *little* more fun, and making it > > possible for us to get to know one another better? > > This isn't a half bad idea (what do others think?). At the very least > perhaps an IRC channel is in order. I see #fedora-security already exists > on Freenode, no doubt just for this purpose :) I started #fedora-security back when the SIG was first proposed Just for this type of thing. the security days sounds like a great idea. -- Regards Dennis Gilmore, RHCE Proud Australian From bressers at redhat.com Wed May 10 19:17:02 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 10 May 2006 15:17:02 -0400 Subject: Fedora Security Response Team In-Reply-To: Your message of "Wed, 10 May 2006 10:04:51 CDT." <200605101004.51912.dennis@ausil.us> Message-ID: <200605101917.k4AJH2Nq030741@devserv.devel.redhat.com> > > 1) as we are one file per release perhaps merging extras and core into one > file. (not now but later) This will depend on the outcome of the bizarre mating ritual that will no doubt happen once core is freed. > 2) use one file per CVE. has alot of files but you could have in it each > effected release This also complicates the issue of moving things forward. Right now, when FE6 must be tracked, a 'cp fe5 fe6' is a pretty solid start. > 3) Time based rotation of files. List in a similar manner to currently done > but add the releases effected to the end and rotate files each > month/quarter/half year/full year I don't think this is wise. The files will be rotated when EOL is reached. Having everything in one easy to find place for each distribution is easier IMO. We can also just keep tracking things the way they currently are, but I fear it won't scale. One entry, per package, per distribution. This fails to scale with something like mozilla. For each CVE id a mozilla application is assigned, we have to add a CVE id for mozilla, thunderbird, firefox, seamonkey, in the FC[45], FE[45], and all the legacy files (for those of you not counting on your fingers that would be 16 lines added). This isn't ideal, but the files are great for tracking, simply because each one contains a good set of information. If I want to know what products CVE-2006-0123 affects, all I have to do is 'grep CVE-2006-0123 *' I think the answer is tools. The data the tools output can be whatever we want, this particular format being something I like. You might like something different, which would be doable as it's all just information. Ideally I should be able to visit a web page, or create a YAML file (or some other format/process you prefer) which will note which versions of a product and which packages are or are not vulnerable, why, then file bugzilla bits for us automagically. -- JB From tibbs at math.uh.edu Thu May 11 00:45:23 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 10 May 2006 19:45:23 -0500 Subject: perl-Net-SSLeay vulnerability Message-ID: The maintainer of perl-Net-SSLeay, Jose Pedro Oliveira just contacted me about the procedure for getting a security review; it seems the version in FC3 and FC4 has a vulnerability but he would like some additional review of the backport. I asked him to contact this list, but I'm not sure it's open to nonmembers. - J< From dennis at ausil.us Thu May 11 01:10:05 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Wed, 10 May 2006 20:10:05 -0500 Subject: perl-Net-SSLeay vulnerability In-Reply-To: References: Message-ID: <200605102010.05395.dennis@ausil.us> On Wednesday 10 May 2006 7:45 pm, Jason L Tibbitts III wrote: > The maintainer of perl-Net-SSLeay, Jose Pedro Oliveira > just contacted me about the procedure for > getting a security review; it seems the version in FC3 and FC4 has a > vulnerability but he would like some additional review of the > backport. I asked him to contact this list, but I'm not sure it's > open to nonmembers. The list is open to anyone who wants to subscribe to the list. FC3 security issues are ones that effect me the most. between extras for Aurora and my FC3 servers. So I will do what i can to help him. Dennis From bressers at redhat.com Thu May 11 01:29:42 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 10 May 2006 21:29:42 -0400 Subject: perl-Net-SSLeay vulnerability In-Reply-To: Your message of "Wed, 10 May 2006 19:45:23 CDT." Message-ID: <200605110129.k4B1Tg3c005692@devserv.devel.redhat.com> > The maintainer of perl-Net-SSLeay, Jose Pedro Oliveira > just contacted me about the procedure for > getting a security review; it seems the version in FC3 and FC4 has a > vulnerability but he would like some additional review of the > backport. I asked him to contact this list, but I'm not sure it's > open to nonmembers. Anyone may post to this list (non subscriber posts are moderated, so it won't show up right away). One of the goals of this list is to allow third parties to send us mails without having to subscribe to the list. It's the reason I don't have a list reply-to. If an outsider mails the list, they should stay on the Cc list. -- JB From tibbs at math.uh.edu Thu May 11 02:55:18 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 10 May 2006 21:55:18 -0500 Subject: Bugzilla CCs? Message-ID: Would it be reasonable to CC security-related bugzilla tickets here? Currently it's not possible. - J< From j.w.r.degoede at hhs.nl Thu May 11 10:33:43 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Thu, 11 May 2006 12:33:43 +0200 Subject: CVE-2006 entries added In-Reply-To: <20060509213447.GA8428@tomservo.boston.redhat.com> References: <20060509213447.GA8428@tomservo.boston.redhat.com> Message-ID: <44631307.5080904@hhs.nl> Luke Macken wrote: > On Mon, May 08, 2006 at 05:11:18PM -0500, Jason L Tibbitts III wrote: >> CR> nethack >> >> Same issue as with bsd-games. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187353 > > This ball is in my court. As mentioned in the bug report, this issue > only applies when users are a part of the 'games' group. As far as I > know, this issue has not been fixed anywhere (even in gentoo where it > is actually a real issue, since people are encouraged to join the > 'games' group). > Although users are not in the games group on Fedora this is still a problem, this hole allows the following scenario: - find a sgid game which is exploitable to get games gid rights - use the games gid rights to drop a crafted file which will exploit nethack when opened by nethack. - once another users runs nethack and opens the crafted file unwanted things get done with the rights of the other user. So although low priority this needs fixing never the less. Regards, Hans From kaboom at oobleck.net Thu May 11 19:27:43 2006 From: kaboom at oobleck.net (Chris Ricker) Date: Thu, 11 May 2006 15:27:43 -0400 (EDT) Subject: Bugzilla CCs? In-Reply-To: References: Message-ID: On Wed, 10 May 2006, Jason L Tibbitts III wrote: > Would it be reasonable to CC security-related bugzilla tickets here? > Currently it's not possible. Manually, or automatically? Adding the list manually to the ticket should send it here for the Fearless Moderator to approve later, chris From tibbs at math.uh.edu Thu May 11 19:33:38 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Thu, 11 May 2006 14:33:38 -0500 Subject: Bugzilla CCs? In-Reply-To: (Chris Ricker's message of "Thu, 11 May 2006 15:27:43 -0400 (EDT)") References: Message-ID: >>>>> "CR" == Chris Ricker writes: CR> Manually, or automatically? Adding the list manually to the ticket CR> should send it here for the Fearless Moderator to approve It doesn't work; bugzilla won't allow it because there's no bugzilla account matching fedora-security-list at redhat.com. - J< From ville.skytta at iki.fi Thu May 11 20:15:56 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Thu, 11 May 2006 23:15:56 +0300 Subject: One Bugzilla report per distro version or one for all? Message-ID: <1147378556.2746.43.camel@localhost.localdomain> Best practice question: Assuming a security issue in package foo which is shipped and vulnerable in many distro versions, do people find it better to file one copy-pasted bug report per distro version or a "combined" one for all which lists the affected distro versions? The one-for-all approach would have the benefit of easier copy-pasting between audit/* files and probably more accurate Bugzilla references in maintainer %changelog entries as the same specfile is used for all distro versions in the vast majority of cases. It could make things slightly harder to track, eg. in Bugzilla queries and such. From dennis at ausil.us Thu May 11 20:50:31 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Thu, 11 May 2006 15:50:31 -0500 Subject: One Bugzilla report per distro version or one for all? In-Reply-To: <1147378556.2746.43.camel@localhost.localdomain> References: <1147378556.2746.43.camel@localhost.localdomain> Message-ID: <200605111550.32605.dennis@ausil.us> On Thursday 11 May 2006 15:15, Ville Skytt? wrote: > Best practice question: > > Assuming a security issue in package foo which is shipped and vulnerable > in many distro versions, do people find it better to file one > copy-pasted bug report per distro version or a "combined" one for all > which lists the affected distro versions? > > The one-for-all approach would have the benefit of easier copy-pasting > between audit/* files and probably more accurate Bugzilla references in > maintainer %changelog entries as the same specfile is used for all > distro versions in the vast majority of cases. It could make things > slightly harder to track, eg. in Bugzilla queries and such. I would think one bugzilla entry for all. If you did one for each you could be dealing with 5 bug reports. -- Regards Dennis Gilmore, RHCE Proud Australian From bressers at redhat.com Thu May 11 20:59:34 2006 From: bressers at redhat.com (Josh Bressers) Date: Thu, 11 May 2006 16:59:34 -0400 Subject: One Bugzilla report per distro version or one for all? In-Reply-To: Your message of "Thu, 11 May 2006 15:50:31 CDT." <200605111550.32605.dennis@ausil.us> Message-ID: <200605112059.k4BKxYQm023221@devserv.devel.redhat.com> > On Thursday 11 May 2006 15:15, Ville Skytt?? wrote: > > Best practice question: > > > > Assuming a security issue in package foo which is shipped and vulnerable > > in many distro versions, do people find it better to file one > > copy-pasted bug report per distro version or a "combined" one for all > > which lists the affected distro versions? > > > > The one-for-all approach would have the benefit of easier copy-pasting > > between audit/* files and probably more accurate Bugzilla references in > > maintainer %changelog entries as the same specfile is used for all > > distro versions in the vast majority of cases. It could make things > > slightly harder to track, eg. in Bugzilla queries and such. > I would think one bugzilla entry for all. If you did one for each you could > be dealing with 5 bug reports. I ack this. Things can quickly get out of hand. To beat my favorite dead horse, mozilla, you have 4 products, across 5 distributions = 20 bugs. -- JB From jkeating at redhat.com Thu May 11 22:34:46 2006 From: jkeating at redhat.com (Jesse Keating) Date: Thu, 11 May 2006 18:34:46 -0400 Subject: One Bugzilla report per distro version or one for all? In-Reply-To: <200605112059.k4BKxYQm023221@devserv.devel.redhat.com> References: <200605112059.k4BKxYQm023221@devserv.devel.redhat.com> Message-ID: <1147386886.27868.5.camel@ender> On Thu, 2006-05-11 at 16:59 -0400, Josh Bressers wrote: > > I ack this. Things can quickly get out of hand. To beat my favorite > dead > horse, mozilla, you have 4 products, across 5 distributions = 20 > bugs. The problem you run into is then you set yourself up for having to release all or nothing. If distro A is holding up release of fixed packages for distro B thats not a good thing. If we want our pushing tools to close bugs accordingly (like they do with Core) then we're probably going to have to separate these by distributions. Now to use mozilla again, why couldn't we push all 4 products into one bug report? 20 bugs down to 5 bugs is a pretty big drop. And there could be a tracking bug that has all the info, and sub-bugs filed in each distro to be the place holder for when said package goes out. This allows a package to go out, allows a pushing system to close a bug associated w/ a package update, and allows a top level bug to easily track the progress of each affected distro. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Fri May 12 02:33:22 2006 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 11 May 2006 22:33:22 -0400 Subject: One Bugzilla report per distro version or one for all? In-Reply-To: <1147386886.27868.5.camel@ender> References: <200605112059.k4BKxYQm023221@devserv.devel.redhat.com> <1147386886.27868.5.camel@ender> Message-ID: <1147400955.6061.29.camel@mdlinux> On Thu, 2006-05-11 at 18:34 -0400, Jesse Keating wrote: > The problem you run into is then you set yourself up for having to > release all or nothing. If distro A is holding up release of fixed > packages for distro B thats not a good thing. If we want our pushing > tools to close bugs accordingly (like they do with Core) then we're > probably going to have to separate these by distributions. > Don't we usually release updates for all distros at the same time? For Legacy, it was a PITA when we tried to have a bug per distro. > Now to use mozilla again, why couldn't we push all 4 products into one > bug report? 20 bugs down to 5 bugs is a pretty big drop. And there > could be a tracking bug that has all the info, and sub-bugs filed in > each distro to be the place holder for when said package goes out. This > allows a package to go out, allows a pushing system to close a bug > associated w/ a package update, and allows a top level bug to easily > track the progress of each affected distro. > Four products can result in four different update advisories. Wouldn't a pushing system have trouble figuring out if the bug can be closed automatically or not? Marc. From jimpop at yahoo.com Fri May 12 02:40:27 2006 From: jimpop at yahoo.com (Jim Popovitch) Date: Thu, 11 May 2006 22:40:27 -0400 Subject: Apache 1.3.7 (RH73) question wrt CVEs Message-ID: <4463F59B.9090803@yahoo.com> In another arena I saw a list of CVEs against Apache 1.3.7. RH73 ships with Apache 1.3.7-9 so I thought I would query BZ and see what I could find of these. (I am a BZ newbie when it comes to queries). CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple Vulnerabilities CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence Vulnerabilities CVE-2003-0993 Apache mod_access Security Bypass CVE-2004-0700 Apache mod_ssl Format String Vulnerability Unfortunately I couldn't find any of those in the Comments under Apache for Fedora Legacy Redhat 7.3. I can't believe that all of those aren't addressed, so lack of query results suggests to me that I am missing something. Some of those CVE/CANs are several years old, but wouldn't the still be in BZ comments somewhere? -Jim P. From deisenst at gtw.net Fri May 12 06:44:52 2006 From: deisenst at gtw.net (David Eisenstein) Date: Fri, 12 May 2006 01:44:52 -0500 (CDT) Subject: Apache 1.3.7 (RH73) question wrt CVEs In-Reply-To: <4463F59B.9090803@yahoo.com> Message-ID: On Thu, 11 May 2006, Jim Popovitch wrote: > In another arena I saw a list of CVEs against Apache 1.3.7. RH73 ships > with Apache 1.3.7-9 so I thought I would query BZ and see what I could > find of these. (I am a BZ newbie when it comes to queries). > > CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple > Vulnerabilities > > CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service > > CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence > Vulnerabilities > > CVE-2003-0993 Apache mod_access Security Bypass > > CVE-2004-0700 Apache mod_ssl Format String Vulnerability > > > Unfortunately I couldn't find any of those in the Comments under Apache > for Fedora Legacy Redhat 7.3. I can't believe that all of those > aren't addressed, so lack of query results suggests to me that I am > missing something. Some of those CVE/CANs are several years old, but > wouldn't the still be in BZ comments somewhere? It appears that Red Hat Linux 7.3 shipped with apache-1.3.23-11... I don't know what shipped with apache-1.3.7 ... From Fedora Legacy's archives, RHL 7.3's apache was shipped on 16-Apr-2002. The latest update for Red Hat 7.3's apache appears to have been released by the Fedora Legacy project on 18-Feb-2006 and is apache-1.3.27-9.legacy. The latest mod_ssl for RHL 7.3 is mod_ssl-2.8.12-8.legacy, released 9-Nov-2005. A couple of things. First, not all Legacy work is documented in Red Hat's Bugzilla. Initial Fedora Legacy group work thru Mar 2005 was tracked in http://bugzilla.fedora.us/. For example, a quick peek there shows that CAN-2004-0700 was handled here: . The second thing is that you may wish to check the apache's and mod_ssl's changelogs. If you have a RH7.3 system, you can do a query on the RPMs you have installed: $ rpm -q --changelog apache $ rpm -q --changelog mod_ssl All vulnerabilities that are fixed *ought* to be mentioned in the changelog, mentioning the CVE # in the changelog entry. However, sometimes CVE's are taken care of by updating a package to a newer upstream version, so package maintainers may or may not mention the CVE's that an upstream-upgrade fixes. Again, I think they *ought* to, but they don't always. Item-by-item: * CVE-2002-1233. The description in the CVE database for this entry goes: "A regression error in the Debian distributions of the apache-ssl package (before 1.3.9 on Debian 2.2, and before 1.3.26 on Debian 3.0), for Apache 1.3.27 and earlier, allows local users to read or modify the Apache password file via a symlink attack on temporary files when the administrator runs (1) htpasswd or (2) htdigest, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2001-0131." Further comment disputing the validity of the CVE is present also: "Cox> Many vendors have included fixes for CVE-2001-0131 in their distributions of Apache even though this has not been fixed upstream. I still believe that this is not worthy of a separate CVE name since this is just Debian forgetting to include their fix for CVE-2001-0131 in one of their versions, and then correcting it." Since this is a Debian-only issue, I would not expect to find mention of CAN-2002-1233 in any Bugzilla nor the changelogs. * CVE-2003-0020. This was fixed with Red Hat's release of apache- 1.3.27-3 with their advisory RHSA-2003:243-07, issued on 2003-09-22 when RH Linux 7.3 was still under Red Hat's care. One can find this issue mentioned in apache-1.3.27-9.legacy's changelogs. Ref: . * CVE-2003-0083. According to this CVE, this vulnerability only affects Apache 1.3 before 1.3.25, so it would not have affected this version of apache. * CVE-2003-0993. I don't see this one mentioned in the changelogs. But I don't think this one would affect Legacy, as this issue only seems to affect Apache 1.3 when running on big-endian 64-bit platforms, according to the CVE. Legacy only supports x86 for RH Linux 7.3. * CVE-2004-0700. This was was fixed by legacy in mod_ssl-2.8.12-5.legacy. See the bugzilla.fedora.us mentioned above, as well as mod_ssl's changelogs. * CVE-2004-0748. Looking at how it was reported for RHEL 3, in RH's Bugzilla # 130749, it appears to not affect mod_ssl with Apache 1.3. . So this would not have affected Red Hat Linux 7.3 For FC1 & newer distros that use Apache 2.0.xx, this appears to have been fixed with an upgrade to httpd-2.0.51. For RHL 9, I am not fin- ding where this was fixed, as the update advisory that included verbiage for this CVE indicated that RHL 9 was not affected by this vulnerability. * CVE-2004-0751. From the text of the CVE, this is a bug in the char_buffer_read function in the mod_ssl module for Apache 2.xx. This vulnerability apparently does not affect Apache 1.3.xx. Hope this helped, Jim. > -Jim P. > > -- > Fedora-security-list mailing list > Fedora-security-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-security-list From jimpop at yahoo.com Fri May 12 06:52:47 2006 From: jimpop at yahoo.com (Jim Popovitch) Date: Fri, 12 May 2006 02:52:47 -0400 Subject: Apache 1.3.7 (RH73) question wrt CVEs In-Reply-To: References: Message-ID: <446430BF.3070407@yahoo.com> David Eisenstein wrote: > On Thu, 11 May 2006, Jim Popovitch wrote: > >> In another arena I saw a list of CVEs against Apache 1.3.7. RH73 ships >> with Apache 1.3.7-9 so I thought I would query BZ and see what I could >> find of these. (I am a BZ newbie when it comes to queries). >> >> CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple >> Vulnerabilities >> >> CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service >> >> CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence >> Vulnerabilities >> >> CVE-2003-0993 Apache mod_access Security Bypass >> >> CVE-2004-0700 Apache mod_ssl Format String Vulnerability >> >> >> Unfortunately I couldn't find any of those in the Comments under Apache >> for Fedora Legacy Redhat 7.3. I can't believe that all of those >> aren't addressed, so lack of query results suggests to me that I am >> missing something. Some of those CVE/CANs are several years old, but >> wouldn't the still be in BZ comments somewhere? > > It appears that Red Hat Linux 7.3 shipped with apache-1.3.23-11... I > don't know what shipped with apache-1.3.7 ... From Fedora Legacy's > archives, RHL 7.3's apache was shipped on 16-Apr-2002. > > The latest update for Red Hat 7.3's apache appears to have been released > by the Fedora Legacy project on 18-Feb-2006 and is apache-1.3.27-9.legacy. Thank you David for the insight as well as the ground work on going through all of those. It wasn't my intention to have you or someone else do that, but I do appreciate your doing so. Apologies for specifying apache-1.3.7, that was a copy/paste error, I meant apache-1.3.27. Again, Thank you for digging through all of that. -Jim P. From kaboom at oobleck.net Fri May 12 13:24:40 2006 From: kaboom at oobleck.net (Chris Ricker) Date: Fri, 12 May 2006 09:24:40 -0400 (EDT) Subject: Bugzilla CCs? In-Reply-To: References: Message-ID: On Thu, 11 May 2006, Jason L Tibbitts III wrote: > >>>>> "CR" == Chris Ricker writes: > > CR> Manually, or automatically? Adding the list manually to the ticket > CR> should send it here for the Fearless Moderator to approve > > It doesn't work; bugzilla won't allow it because there's no bugzilla > account matching fedora-security-list at redhat.com. Good point If it can't be worked around on the back end, we can always create an account for the list and do it that way later, chris From andreas.bierfert at lowlatency.de Wed May 17 09:30:28 2006 From: andreas.bierfert at lowlatency.de (Andreas Bierfert) Date: Wed, 17 May 2006 11:30:28 +0200 Subject: CVE-2006 entries added In-Reply-To: References: Message-ID: <20060517113028.6dc023b1@alkaid.a.lan> On Mon, 8 May 2006 16:31:57 -0400 (EDT) Chris Ricker wrote: > Packages which at least match between FE4 / FE5 and CVE-2006* that I've > not looked into fully yet: [...] > wine Hm what would that be? - Andreas -- Andreas Bierfert | http://awbsworld.de | GPG: C58CF1CB andreas.bierfert at lowlatency.de | http://lowlatency.de | signed/encrypted phone: +49 2402 102373 | cell: +49 173 5803043 | mail preferred -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From kaboom at oobleck.net Wed May 17 13:28:38 2006 From: kaboom at oobleck.net (Chris Ricker) Date: Wed, 17 May 2006 09:28:38 -0400 (EDT) Subject: CVE-2006 entries added In-Reply-To: <20060517113028.6dc023b1@alkaid.a.lan> References: <20060517113028.6dc023b1@alkaid.a.lan> Message-ID: On Wed, 17 May 2006, Andreas Bierfert wrote: > On Mon, 8 May 2006 16:31:57 -0400 (EDT) > Chris Ricker wrote: > > Packages which at least match between FE4 / FE5 and CVE-2006* that I've > > not looked into fully yet: > [...] > > wine > > Hm what would that be? CVE-2006-0106 - it's not a problem for any maintained Extras branch later, chris From andreas.bierfert at lowlatency.de Wed May 17 16:22:58 2006 From: andreas.bierfert at lowlatency.de (Andreas Bierfert) Date: Wed, 17 May 2006 18:22:58 +0200 Subject: CVE-2006 entries added In-Reply-To: References: <20060517113028.6dc023b1@alkaid.a.lan> Message-ID: <20060517182258.3a6516d2@alkaid.a.lan> On Wed, 17 May 2006 09:28:38 -0400 (EDT) > CVE-2006-0106 - it's not a problem for any maintained Extras branch Thats what I tought ;) Just checking... - Andreas -- Andreas Bierfert | http://awbsworld.de | GPG: C58CF1CB andreas.bierfert at lowlatency.de | http://lowlatency.de | signed/encrypted phone: +49 2402 102373 | cell: +49 173 5803043 | mail preferred -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From kaboom at oobleck.net Thu May 18 03:12:14 2006 From: kaboom at oobleck.net (Chris Ricker) Date: Wed, 17 May 2006 23:12:14 -0400 (EDT) Subject: [Bug 191491] need to be able to cc bugs to fedora-security-list (fwd) Message-ID: ave has added an account for fedora-security-list at redhat.com to Bugzilla, so you can now CC security-related bugs to that address later, chris ---------- Forwarded message ---------- Date: Wed, 17 May 2006 10:04:27 -0400 From: bugzilla at redhat.com To: kaboom at oobleck.net Subject: [Bug 191491] need to be able to cc bugs to fedora-security-list Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: need to be able to cc bugs to fedora-security-list https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191491 ------- Additional Comments From dkl at redhat.com 2006-05-17 10:04 EST ------- fedora-security-list at redhat.com user has been added. I will mail the password for that account to you in private email. The user can now be added to the Cc list of bug reports. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter. From bressers at redhat.com Thu May 18 13:17:20 2006 From: bressers at redhat.com (Josh Bressers) Date: Thu, 18 May 2006 09:17:20 -0400 Subject: [Bug 191491] need to be able to cc bugs to fedora-security-list (fwd) In-Reply-To: Your message of "Wed, 17 May 2006 23:12:14 EDT." Message-ID: <200605181317.k4IDHKR0002965@devserv.devel.redhat.com> > ave has added an account for fedora-security-list at redhat.com to > Bugzilla, so you can now CC security-related bugs to that address On that note, I'll share the URL I use to create new bugs for FE. https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora%20Extras&keywords=Security&cc=fedora-security-list at redhat.com As you can probably guess from the URL, it adds the Security keyword and CCs the list. -- JB From bugzilla at redhat.com Thu May 18 13:27:01 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 May 2006 09:27:01 -0400 Subject: [Bug 192202] CVE-2006-2442 kphone information disclosure flaw In-Reply-To: Message-ID: <200605181327.k4IDR1sL008545@www.beta.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2442 kphone information disclosure flaw https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192202 dennis at ausil.us changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |fedora-security- | |list at redhat.com ------- Additional Comments From dennis at ausil.us 2006-05-18 09:26 EST ------- I will apply the patch from the debian bug report today. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri May 19 04:47:23 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 19 May 2006 00:47:23 -0400 Subject: [Bug 192202] CVE-2006-2442 kphone information disclosure flaw In-Reply-To: Message-ID: <200605190447.k4J4lNtC004838@www.beta.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2442 kphone information disclosure flaw https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192202 dennis at ausil.us changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From tchung at fedoraproject.org Fri May 19 19:27:59 2006 From: tchung at fedoraproject.org (Thomas Chung) Date: Fri, 19 May 2006 12:27:59 -0700 Subject: Public Announcment for Fedora Extras Message-ID: <369bce3b0605191227j3c94214al49b71abd3ca3c260@mail.gmail.com> First of all, congratulations to those who made Fedora Extras Updates announcements possible to the public for the first time! [1] https://www.redhat.com/archives/fedora-package-announce/2006-May/msg00093.html [2] https://www.redhat.com/archives/fedora-package-announce/2006-May/msg00094.html [3] https://www.redhat.com/archives/fedora-package-announce/2006-May/msg00095.html Now, we need a public announcement regarding our new effort. Could someone in this project make an official announcement on Fedora Extras Updates? This will be posted in Fedora Weekly News as well as Fedora Weekly Reports. ps. The tag in subject in [2] should be Fedora Extras *4* update: kphone-4.2-9.fc4 It's been corrected in Fedora News post. [4] [4] http://fedoranews.org/cms/node/942 Regards, -- Thomas Chung http://fedoraproject.org/wiki/ThomasChung From ville.skytta at iki.fi Fri May 19 20:03:20 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Fri, 19 May 2006 23:03:20 +0300 Subject: Public Announcment for Fedora Extras In-Reply-To: <369bce3b0605191227j3c94214al49b71abd3ca3c260@mail.gmail.com> References: <369bce3b0605191227j3c94214al49b71abd3ca3c260@mail.gmail.com> Message-ID: <1148069000.2765.24.camel@localhost.localdomain> On Fri, 2006-05-19 at 12:27 -0700, Thomas Chung wrote: > First of all, congratulations to those who made Fedora Extras Updates > announcements possible to the public for the first time! Yep, that's nice, thanks Dennis. Do we have templates for those announcements available somewhere? What about update ID's, should Extras announcements get ones from the FEDORA-* sequence or have their own or something else? From jkeating at redhat.com Fri May 19 20:19:52 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 19 May 2006 16:19:52 -0400 Subject: Public Announcment for Fedora Extras In-Reply-To: <1148069000.2765.24.camel@localhost.localdomain> References: <369bce3b0605191227j3c94214al49b71abd3ca3c260@mail.gmail.com> <1148069000.2765.24.camel@localhost.localdomain> Message-ID: <1148069992.12055.1.camel@ender> On Fri, 2006-05-19 at 23:03 +0300, Ville Skytt? wrote: > > Do we have templates for those announcements available somewhere? > What > about update ID's, should Extras announcements get ones from the > FEDORA-* sequence or have their own or something else? > In Legacy we use the bugzilla number as the update ID. I'm not entirely sure how Fedora does it. I think it may come from the update tool, and if/when we move the update tool to be external and work for all Fedora stuff then it would be easy to have uniques. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From bressers at redhat.com Fri May 19 20:32:25 2006 From: bressers at redhat.com (Josh Bressers) Date: Fri, 19 May 2006 16:32:25 -0400 Subject: Public Announcment for Fedora Extras In-Reply-To: Your message of "Fri, 19 May 2006 16:19:52 EDT." <1148069992.12055.1.camel@ender> Message-ID: <200605192032.k4JKWPcd016772@devserv.devel.redhat.com> > > In Legacy we use the bugzilla number as the update ID. I'm not entirely > sure how Fedora does it. I think it may come from the update tool, and > if/when we move the update tool to be external and work for all Fedora > stuff then it would be easy to have uniques. > I was thinking about this just the other day. There are two things that could work I think. The first is to use the bugzilla ID. This has the advantage of being unique and easy, but has the disadvantage of being a seemingly random number. The second idea is how we did Core updates long long ago (well sort of). We put a file in our cvs repository that looks a bit like this 2006-001 2006-002 2006-003 We then take one 2006-001 some package and commit the file. It's important we remember to commit the file lest someone else steal it. It prevents concurrency issues as only one person can commit at a time. Ideally I think it would be best to have a directory layout as such advisories/ ids text/ 2006-001 We could then write a script that we run with a package name. It then modifies the ids file, adds a new skeleton file in text/ then runs cvs commit -m 'Create errata 2006-001' Once we're happy with the errata text (multiple people can read/modify it), we run another command that magically mails it to the list in question, and makes a note in the ids file that it's been "pushed" along with the date. This would allow us to work on advisories before the packages are ready. We could also then generate a sort of advisory index page for the project so when we find some web space somewhere, publishing our advisories is trivial. If we ensure we note the bugs fixed in our errata it will also be possible to close the bugs automagically via our script. Thoughts? -- JB From dennis at ausil.us Fri May 19 20:34:01 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Fri, 19 May 2006 15:34:01 -0500 Subject: Public Announcment for Fedora Extras In-Reply-To: <1148069000.2765.24.camel@localhost.localdomain> References: <369bce3b0605191227j3c94214al49b71abd3ca3c260@mail.gmail.com> <1148069000.2765.24.camel@localhost.localdomain> Message-ID: <200605191534.02022.dennis@ausil.us> On Friday 19 May 2006 15:03, Ville Skytt? wrote: > On Fri, 2006-05-19 at 12:27 -0700, Thomas Chung wrote: > > First of all, congratulations to those who made Fedora Extras Updates > > announcements possible to the public for the first time! > > Yep, that's nice, thanks Dennis. > > Do we have templates for those announcements available somewhere? What > about update ID's, should Extras announcements get ones from the > FEDORA-* sequence or have their own or something else? I based what i sent out on a Fedora Core announcement. Ive had a couple of private emails about a unique ID and there is nothing defined so I did not include one. I thought aboout perhaps a cgi script to create the email. then it could create most of the email automatically. with a little input from sender. that would keep things consistent in look. ideas? there would need to be some kind of access control. I plan on always sending announcements for security issues with my packages. should we approach fesco asking for a policy that security updates need announcements? -- Dennis Gilmore, RHCE Proud Australian From jkeating at redhat.com Fri May 19 20:40:48 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 19 May 2006 16:40:48 -0400 Subject: Public Announcment for Fedora Extras In-Reply-To: <200605192032.k4JKWPcd016772@devserv.devel.redhat.com> References: <200605192032.k4JKWPcd016772@devserv.devel.redhat.com> Message-ID: <1148071248.12055.3.camel@ender> On Fri, 2006-05-19 at 16:32 -0400, Josh Bressers wrote: > Thoughts? Sounds sane. I'll just gloss over the embargo issue for now (; -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From jkeating at redhat.com Fri May 19 20:42:21 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 19 May 2006 16:42:21 -0400 Subject: Public Announcment for Fedora Extras In-Reply-To: <200605191534.02022.dennis@ausil.us> References: <369bce3b0605191227j3c94214al49b71abd3ca3c260@mail.gmail.com> <1148069000.2765.24.camel@localhost.localdomain> <200605191534.02022.dennis@ausil.us> Message-ID: <1148071341.12055.5.camel@ender> On Fri, 2006-05-19 at 15:34 -0500, Dennis Gilmore wrote: > that would keep things consistent in look. ideas? there would need > to be > some kind of access control. I plan on always sending announcements > for > security issues with my packages. should we approach fesco asking > for a > policy that security updates need announcements? We need to harp on luke macken to get a version of the update system external. Then all we have to come up with is the advisory text, the rest of the package stuff is generated automatically. I don't think we need to go to fesco, we'll just make policy ourselves and then maybe get fesco to rubberstamp it. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From lmacken at redhat.com Fri May 19 21:03:06 2006 From: lmacken at redhat.com (Luke Macken) Date: Fri, 19 May 2006 17:03:06 -0400 Subject: Public Announcment for Fedora Extras In-Reply-To: <1148069992.12055.1.camel@ender> References: <369bce3b0605191227j3c94214al49b71abd3ca3c260@mail.gmail.com> <1148069000.2765.24.camel@localhost.localdomain> <1148069992.12055.1.camel@ender> Message-ID: <20060519210306.GC6480@tomservo.boston.redhat.com> On Fri, May 19, 2006 at 04:19:52PM -0400, Jesse Keating wrote: > On Fri, 2006-05-19 at 23:03 +0300, Ville Skytt? wrote: > > > > Do we have templates for those announcements available somewhere? > > What > > about update ID's, should Extras announcements get ones from the > > FEDORA-* sequence or have their own or something else? > > > > In Legacy we use the bugzilla number as the update ID. I'm not entirely > sure how Fedora does it. I think it may come from the update tool, and > if/when we move the update tool to be external and work for all Fedora > stuff then it would be easy to have uniques. Core update IDs are sequential, and come from the update system. Using the bug # as the ID is probably not the best idea, since multiple bugs can potentially be fixed by a single update. luke From lmacken at redhat.com Fri May 19 21:18:31 2006 From: lmacken at redhat.com (Luke Macken) Date: Fri, 19 May 2006 17:18:31 -0400 Subject: Public Announcment for Fedora Extras In-Reply-To: <200605192032.k4JKWPcd016772@devserv.devel.redhat.com> References: <1148069992.12055.1.camel@ender> <200605192032.k4JKWPcd016772@devserv.devel.redhat.com> Message-ID: <20060519211831.GD6480@tomservo.boston.redhat.com> On Fri, May 19, 2006 at 04:32:25PM -0400, Josh Bressers wrote: > > > > In Legacy we use the bugzilla number as the update ID. I'm not entirely > > sure how Fedora does it. I think it may come from the update tool, and > > if/when we move the update tool to be external and work for all Fedora > > stuff then it would be easy to have uniques. > > > > I was thinking about this just the other day. There are two things that > could work I think. The first is to use the bugzilla ID. This has the > advantage of being unique and easy, but has the disadvantage of being a > seemingly random number. What about multiple bugs per update ? > The second idea is how we did Core updates long long ago (well sort of). The way Core updates were done long ago was a problem, and it has been fixed via the update system. > We put a file in our cvs repository that looks a bit like this > > 2006-001 > 2006-002 > 2006-003 > > > We then take one > > 2006-001 some package > > and commit the file. It's important we remember to commit the file lest > someone else steal it. It prevents concurrency issues as only one person > can commit at a time. > > Ideally I think it would be best to have a directory layout as such > > advisories/ > ids > text/ > 2006-001 > > We could then write a script that we run with a package name. It then > modifies the ids file, adds a new skeleton file in text/ then runs > cvs commit -m 'Create errata 2006-001' > > Once we're happy with the errata text (multiple people can read/modify it), > we run another command that magically mails it to the list in question, and > makes a note in the ids file that it's been "pushed" along with the date. > This would allow us to work on advisories before the packages are ready. > > We could also then generate a sort of advisory index page for the project > so when we find some web space somewhere, publishing our advisories is > trivial. > > If we ensure we note the bugs fixed in our errata it will also be possible > to close the bugs automagically via our script. The current update system already automatically generates and sends advisory text, as well as automatic bug commenting/closing. > Thoughts? Seeing as how getting the update system out from under it's rock is getting to be a pretty large priority, I'd hate to have us duplicate this functionality for Extras/Legacy/Core. Ideally, it would be nice to have a single system which can be used to push core/extras/legacy updates and give us the ability to generate project-wide statistics, and automate mailing list and bugzilla interaction. I jotted down some notes[0] a while back on making the current update system more modular to be able to extend legacy and extras, but due to classes/finals have been unable to implement it. Thoughts? luke [0]: http://fedoraproject.org/wiki/Infrastructure/UpdateSystem From bugzilla at redhat.com Sat May 20 09:27:08 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 20 May 2006 05:27:08 -0400 Subject: [Bug 192535] New: CVE-2006-2480: dia format string vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192535 Summary: CVE-2006-2480: dia format string vulnerability Product: Fedora Extras Version: fc5 Platform: All URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006- 2480 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: dia AssignedTo: j.w.r.degoede at hhs.nl ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480 Reproducer in GNOME Bugzilla, appears to affect 0.95 too: http://bugzilla.gnome.org/show_bug.cgi?id=342111 The CVE notes that this may not be a vulnerability, but it is a reproducible crash in any case. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 20 09:35:57 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 20 May 2006 05:35:57 -0400 Subject: [Bug 192538] New: CVE-2006-2480: dia format string vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192538 Summary: CVE-2006-2480: dia format string vulnerability Product: Fedora Core Version: fc4 Platform: All URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006- 2480 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: dia AssignedTo: caolanm at redhat.com ReportedBy: ville.skytta at iki.fi CC: fedora-security-list at redhat.com +++ This bug was initially created as a clone of Bug #192535 +++ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480 Reproducer in GNOME Bugzilla, appears to affect 0.95 too: http://bugzilla.gnome.org/show_bug.cgi?id=342111 The CVE notes that this may not be a vulnerability, but it is a reproducible crash in any case. (Note: I haven't tested the FC4 package, but at least the FE5 one has this problem.) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 20 09:40:40 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 20 May 2006 05:40:40 -0400 Subject: [Bug 192538] CVE-2006-2480: dia format string vulnerability In-Reply-To: Message-ID: <200605200940.k4K9eech030857@www.beta.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2480: dia format string vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192538 ------- Additional Comments From ville.skytta at iki.fi 2006-05-20 05:40 EST ------- f-security-list: note that this is not in audit/fc4, I don't think I have permissions to commit to that. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 20 12:31:24 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 20 May 2006 08:31:24 -0400 Subject: [Bug 192538] CVE-2006-2480: dia format string vulnerability In-Reply-To: Message-ID: <200605201231.k4KCVOsD032159@www.beta.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2480: dia format string vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192538 ------- Additional Comments From bressers at redhat.com 2006-05-20 08:31 EST ------- Please don't patch this issue yet. I plan to have a look through the dia source for additional format string vulnerabilities (I seriously doubt this is the only one). -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 20 12:39:02 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 20 May 2006 08:39:02 -0400 Subject: [Bug 192538] CVE-2006-2480: dia format string vulnerability In-Reply-To: Message-ID: <200605201239.k4KCd2dI001480@www.beta.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2480: dia format string vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192538 ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-05-20 08:38 EST ------- This comment of mine collided with John's comment, so its a bit stale: --- I've fixed this for FE using the patch attached to upstream's BZ (after checking / verifying it). And yes, this most definetly is a vulnerability. The current example of the string format vulnerability is rather harmless, but I _think_ it will be possbile to exploit this by getting people to open malformed files with dia. Also talking about dia, in my memory a security hole was found in one of the dia import filters during the 0.95 pre cycle, I dunno if dia 0.94 had this hole though (and my memory may be wrong altogther mixing up events). --- Now with John's new comment in mind, I guess the same goes for dia in FE? After seeing the BZ collision with your comment I tried to kill my builds of the fix, but I was too late a new version with the patch has been successfully build for FE-5 and devel. I guess thats what I get for being quick. Anyways what do we do now? Ask the new versions to be removed from the needsign and push queue? Or just release them and release again when you're done with your audit? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 20 12:45:13 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 20 May 2006 08:45:13 -0400 Subject: [Bug 192538] CVE-2006-2480: dia format string vulnerability In-Reply-To: Message-ID: <200605201245.k4KCjDVR002796@www.beta.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2480: dia format string vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192538 ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-05-20 08:45 EST ------- How (un)lucky can one get? My dia build for FE was just signed and pushed, so its too late to remove it from the queue. I'm closing the BZ ticket on this for FE. Please open a new one when you find anything. I'm fedora-security-list, so I'll keep following this ticket through the list. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 20 12:46:07 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 20 May 2006 08:46:07 -0400 Subject: [Bug 192535] CVE-2006-2480: dia format string vulnerability In-Reply-To: Message-ID: <200605201246.k4KCk7IJ002933@www.beta.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2480: dia format string vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192535 j.w.r.degoede at hhs.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.95-2 ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-05-20 08:45 EST ------- Fixed using the patch attached to upstream's BZ (after checking / verifying it). The fix has been imported into CVS, build and pushed for FC-5 and devel. I assume the Security Response Team will take care of the security announcement? And yes, this most definetly is a vulnerability. The current example of the string format vulnerability is rather harmless, but I _think_ it will be possbile to exploit this by getting people to open malformed files with dia. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 20 12:58:22 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 20 May 2006 08:58:22 -0400 Subject: [Bug 192538] CVE-2006-2480: dia format string vulnerability In-Reply-To: Message-ID: <200605201258.k4KCwMmQ004877@www.beta.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2480: dia format string vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192538 ------- Additional Comments From ville.skytta at iki.fi 2006-05-20 08:58 EST ------- Sorry, that was me, I saw the commit and saw it also ready in the needsign queue so I decided to do a push before seeing these comments. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 20 13:06:28 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 20 May 2006 09:06:28 -0400 Subject: [Bug 192538] CVE-2006-2480: dia format string vulnerability In-Reply-To: Message-ID: <200605201306.k4KD6Stc005941@www.beta.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2480: dia format string vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192538 ------- Additional Comments From ville.skytta at iki.fi 2006-05-20 09:06 EST ------- Forgot to note that when checking for format string issues, pscan from Extras can save some grunt work, eg. find . -name "*.c" -o -name "*.h" | xargs pscan -w "$@" -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bressers at redhat.com Mon May 22 00:34:18 2006 From: bressers at redhat.com (Josh Bressers) Date: Sun, 21 May 2006 20:34:18 -0400 Subject: cyrus-sasl pop3 buffer overflow Message-ID: <200605220034.k4M0YITa030303@devserv.devel.redhat.com> I ran across this: http://marc.theaimsgroup.com/?l=full-disclosure&m=114821239014171&w=2 The popsubfolders option seems to have been added after 2.3, FC5 may be affected. I ran the exploit against a copy of FC5, I got this in the log file: May 21 20:26:51 bowser pop3[5075]: buffer overflow while canonicalizing If someone who knows cyrus-imapd a little better could take a look at this it would be appreciated. It's possible this is a 2.3.2 only issue (we ship 2.3.1 in FC5). If nobody else gets to this, I'll try to take a better look tomorrow. -- JB From dennis at ausil.us Mon May 22 03:58:42 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Sun, 21 May 2006 22:58:42 -0500 Subject: Fedora Extras 3 Message-ID: <200605212258.43545.dennis@ausil.us> Hey all I added a file for tracking FE3, Please also fill this in when adding CVE's I coppied the fe4 file and went though it there is some issues to be fixed in FE3 i've fixed some of them. and marked some needing fixing. I have removed issues for packages not in FE3 cvs tree. We have under a month to get FE3 up to scratch or support will be turned off. I would like to see security only support for FE3 until legacy drops support. -- Dennis Gilmore, RHCE Proud Australian From tibbs at math.uh.edu Mon May 22 13:40:20 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Mon, 22 May 2006 08:40:20 -0500 Subject: Fedora Extras 3 In-Reply-To: <200605212258.43545.dennis@ausil.us> (Dennis Gilmore's message of "Sun, 21 May 2006 22:58:42 -0500") References: <200605212258.43545.dennis@ausil.us> Message-ID: >>>>> "DG" == Dennis Gilmore writes: DG> We have under a month to get FE3 up to scratch or support will be DG> turned off. Something sounds wrong with this. I mean, FE3 has all sorts of problems including unfixable broken dependencies and somehow it's up to us to meet some deadline for fixing problems there? Not that there's anything wrong with fixing security issues in FE3, but I don't understand why the onus is put entirely on us. - J< From dennis at ausil.us Mon May 22 13:43:44 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Mon, 22 May 2006 08:43:44 -0500 (CDT) Subject: Fedora Extras 3 In-Reply-To: References: <200605212258.43545.dennis@ausil.us> Message-ID: <45559.68.254.239.133.1148305424.squirrel@webmail.ausil.us> >>>>>> "DG" == Dennis Gilmore writes: > > DG> We have under a month to get FE3 up to scratch or support will be > DG> turned off. > > Something sounds wrong with this. I mean, FE3 has all sorts of > problems including unfixable broken dependencies and somehow it's up > to us to meet some deadline for fixing problems there? > > Not that there's anything wrong with fixing security issues in FE3, > but I don't understand why the onus is put entirely on us. Some of the broken dependencies can be fixed. The Onus is not entirely on us. But the Onus is on those who want to to either Fix the issues or get the maintainers to be active for there packages. Dennis From tibbs at math.uh.edu Mon May 22 13:45:47 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Mon, 22 May 2006 08:45:47 -0500 Subject: Fedora Extras 3 In-Reply-To: <200605212258.43545.dennis@ausil.us> (Dennis Gilmore's message of "Sun, 21 May 2006 22:58:42 -0500") References: <200605212258.43545.dennis@ausil.us> Message-ID: Anyway, it looks like we can solve four CVEs by pushing the updated mantis. Then we'll be left with nothing that isn't vulnerable in FE5, although I'm sure there are packages in FE3 that were dropped before FE5 that we'll need to track down. Anyone know of an easy way to get a list of those? - J< From tibbs at math.uh.edu Mon May 22 14:17:58 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Mon, 22 May 2006 09:17:58 -0500 Subject: cyrus-sasl pop3 buffer overflow In-Reply-To: <200605220034.k4M0YITa030303@devserv.devel.redhat.com> (Josh Bressers's message of "Sun, 21 May 2006 20:34:18 -0400") References: <200605220034.k4M0YITa030303@devserv.devel.redhat.com> Message-ID: >>>>> "JB" == Josh Bressers writes: JB> The popsubfolders option seems to have been added after 2.3, FC5 JB> may be affected. Yes, I think so. The cyrus-imapd package is weird; CVS devel "branch" has an older version, while the built rawhide tree has the ".fc5" tagged version. Inspection of the code seems to indicate that 2.3.1 is indeed vulnerable; the responsible code in imap/pop3d.c seems to be unchanged between 2.3.1 and 2.3.2 (and 2.3.3, the latest version, so we'll have to dig up a patch). - J< From tibbs at math.uh.edu Mon May 22 14:27:02 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Mon, 22 May 2006 09:27:02 -0500 Subject: cyrus-sasl pop3 buffer overflow In-Reply-To: (Jason L. Tibbitts, III's message of "Mon, 22 May 2006 09:17:58 -0500") References: <200605220034.k4M0YITa030303@devserv.devel.redhat.com> Message-ID: BTW, nothing I can find on the cyrus mailing lists and nothing to be found on https://bugzilla.andrew.cmu.edu/ - J< From fedora at leemhuis.info Mon May 22 14:28:41 2006 From: fedora at leemhuis.info (Thorsten Leemhuis) Date: Mon, 22 May 2006 16:28:41 +0200 Subject: Fedora Extras 3 In-Reply-To: References: <200605212258.43545.dennis@ausil.us> Message-ID: <1148308121.2291.34.camel@localhost.localdomain> Am Montag, den 22.05.2006, 08:40 -0500 schrieb Jason L Tibbitts III: > >>>>> "DG" == Dennis Gilmore writes: > DG> We have under a month to get FE3 up to scratch or support will be > DG> turned off. > Something sounds wrong with this. Slightly. > I mean, FE3 has all sorts of > problems including unfixable broken dependencies Is it that bad? > and somehow it's up > to us to meet some deadline for fixing problems there? No! Only those that are interested it it. (see below) > Not that there's anything wrong with fixing security issues in FE3, > but I don't understand why the onus is put entirely on us. The concept was round about this: Security Team starts working. It should track the current releases (e.g. FE4 and FE5) (no that was never written down anywhere -- that was probably obvious). There were people (dgilmore, probably others) that wanted to keep FE3 alive. Some other people didn't like the idea, but we sort of had a compromise: If the security team (or only parts of it, e.g. dgilmore, others) track FE3 probably and fix open issues in an acceptable amount of time (e.g they get the package maintainers to fix their packages or someone else like dgilmore and/or the security team fixes it) then we leave FE3 open in "Maintenance state". This was the proposal we agreed on (the last para is the important one for this discussion): > === EOL. > > When a Fedora Core release reaches Maintenance state (such as Fedora > Core 3 reached when Fedora Core 5 Test 2 was released), the > corresponding release of Fedora Extras will also enter a Maintenance > state. In this state maintainers will be allowed to issue updates to > existing packages, but Maintainers are strongly urged to only issue > severe bugfix or security fixes. New software versions should be avoided > except when necessary for resolving issues with the the current version. > > Branches for new packages in CVS are not created for Distributions > that are in Maintenance state. FESCo can approve exceptions of this rule > if there are good reasons for it. The official package maintainers are > urged to fix their packages also for Distributions that are in > Maintenance state. They should work hand in hand with the "Security > Response Team" in case they don't have access to older > distros anymore to test their updates. > > When the Fedora Project drops support for a Fedora Core release the > corresponding Fedora Extras is also dropped -- read this as > "End-of-life, no new updates,support for that EOL distro will be removed > from the Extras buildsys". > > The EOL Policy depends on the creation and a working Security Response > Team and especially the part of it that "will lend assistance as needed" > if the maintainer is unable to fix the package -- if that group does not > start working properly until June 15 2006 we'll send out a EOL for > Fedora Extras 3 -- means: "Packagers can still update things in cvs and > build updates for now, but the official state of Fedora Extras 3 is > 'unsupported and End of Life'". In that case we'll try to improve for >FE4 and later. Hope that clarifies some things. CU thl -- Thorsten Leemhuis From tibbs at math.uh.edu Mon May 22 14:35:45 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Mon, 22 May 2006 09:35:45 -0500 Subject: Mantis and "difficult" upgrades (Was: Fedora Extras 3) In-Reply-To: (Jason L. Tibbitts, III's message of "Mon, 22 May 2006 08:45:47 -0500") References: <200605212258.43545.dennis@ausil.us> Message-ID: A quick chat with the packager of mantis (which is responsible for five open CVEs on FE3 and FE4) shows that updates to 1.0.3 are forthcoming for FE5 (which should fix CVE-2006-1577) but there is no clean update path for FE3 and FE4 due to schema changes. There are supposedly some scripts which will do the necessary schema updates. It looks like backporting anything would be unreasonable, although I haven't looked closely at the source. So, a dilemma: 1) Push a naive update and break systems, leaving the admins to run the schema updates. 2) Run them automatically and hope they actually work. 3) Leave things as they are (insecure). 4) Work in earnest to try to backport patches or come up with our own fixes. The maintainer also suggested that we pull mantis from FE3, although that can't do anything for existing installations. (He doubts there are any.) What to do? - J< From dennis at ausil.us Mon May 22 15:11:33 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Mon, 22 May 2006 10:11:33 -0500 (CDT) Subject: Mantis and "difficult" upgrades (Was: Fedora Extras 3) In-Reply-To: References: <200605212258.43545.dennis@ausil.us> Message-ID: <53605.68.254.239.133.1148310693.squirrel@webmail.ausil.us> > A quick chat with the packager of mantis (which is responsible for > five open CVEs on FE3 and FE4) shows that updates to 1.0.3 are > forthcoming for FE5 (which should fix CVE-2006-1577) but there is no > clean update path for FE3 and FE4 due to schema changes. There are > supposedly some scripts which will do the necessary schema updates. > > It looks like backporting anything would be unreasonable, although I > haven't looked closely at the source. > > So, a dilemma: > 1) Push a naive update and break systems, leaving the admins to run > the schema updates. Not Good but probably fairly wise attach to the announcement the need for manual admin intervention. If the upgrade scripts do not work then the admin should be prepared to fix things by hand. > 2) Run them automatically and hope they actually work. Bad if it could break things badly. better to make sure that the admin is aware of what is needed. Could be ok with sufficient testing > 3) Leave things as they are (insecure). Not good and another reason to EOL FE3 > 4) Work in earnest to try to backport patches or come up with our own > fixes. May be best bet. though schema updates should be taken into consideration. If i updated my FC3 or FC4 systems to FC5 there should be a proper upgrade path. > The maintainer also suggested that we pull mantis from FE3, although > that can't do anything for existing installations. (He doubts there > are any.) Hard to say without stats from mirrors Id rather not pull it. Its very hard to get the info out to everyone who may be intrested. I know that some people rebuild my extras rebuild on Aurora. I guess they don't trust my builds but they use the SRPMS i publish. Dennis From tibbs at math.uh.edu Mon May 22 15:18:31 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Mon, 22 May 2006 10:18:31 -0500 Subject: Fedora Extras 3 In-Reply-To: <1148308121.2291.34.camel@localhost.localdomain> (Thorsten Leemhuis's message of "Mon, 22 May 2006 16:28:41 +0200") References: <200605212258.43545.dennis@ausil.us> <1148308121.2291.34.camel@localhost.localdomain> Message-ID: >>>>> "TL" == Thorsten Leemhuis writes: [Broken dependencies] TL> Is it that bad? Well, there's plague, which depends on a version of createrepo newer than what shipped in core. Core will never issue an update, so extras stays broken. Maybe Legacy will ship an update and we can get everything back together. But there have been other busted dependencies for months now. About maintaining FE3, I see the point; I was just confused. But according to the CVE list that Dennis put together, FE3 is no worse off than FE4 is so at this point we can fix FE3 by working on FE4. The issues are mantis and thttpd; both has open issues even on FE5. (I'd check bugzilla for status but it's still down.) - J< From tibbs at math.uh.edu Mon May 22 15:36:25 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Mon, 22 May 2006 10:36:25 -0500 Subject: Mantis and "difficult" upgrades In-Reply-To: <53605.68.254.239.133.1148310693.squirrel@webmail.ausil.us> (Dennis Gilmore's message of "Mon, 22 May 2006 10:11:33 -0500 (CDT)") References: <200605212258.43545.dennis@ausil.us> <53605.68.254.239.133.1148310693.squirrel@webmail.ausil.us> Message-ID: >>>>> "DG" == Dennis Gilmore writes: DG> Bad if it could break things badly. better to make sure that the DG> admin is aware of what is needed. Could be ok with sufficient DG> testing I looked at the mantis source and it seems to be coded to handle this well. The login page (it's a bug tracker written in PHP) checks the database schema version and, if outdated, sends you to an upgrade page. If the CVEs are serious enough, just pushing the update may be the best course of action. Otherwise we can see if it's reasonable to run the update snippet in %post. >> 3) Leave things as they are (insecure). DG> Not good and another reason to EOL FE3 FE4 has precisely the same issue in this case, so it seems this is not an option. >> 4) Work in earnest to try to backport patches or come up with our >> own fixes. DG> May be best bet. It depends on the nature of the problem. It could require someone knowledgeable in both the operation of Mantis and PHP programming. Leaves me out. - J< From bugzilla at redhat.com Tue May 23 07:53:48 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 23 May 2006 03:53:48 -0400 Subject: [Bug 192538] CVE-2006-2480: dia format string vulnerability In-Reply-To: Message-ID: <200605230753.k4N7rm9Q007933@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2480: dia format string vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192538 caolanm at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |DUPLICATE ------- Additional Comments From caolanm at redhat.com 2006-05-23 03:46 EST ------- *** This bug has been marked as a duplicate of 192699 *** -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From j.w.r.degoede at hhs.nl Tue May 23 07:51:12 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Tue, 23 May 2006 09:51:12 +0200 Subject: Dia format string vulnerabilities (new) Message-ID: <4472BEF0.20703@hhs.nl> Hi all, A format string vulnerability in dia was reported in CVE-2006-2480, this has lead me to taking a closer look at the use of formatstrings in dia. Yesterday I checked all the uses of: dia's message* funcs g_print g_message g_warning dia_assert_true And reported my findings to John Bressers (from RedHat) and Stanislav Brabec . John has assigned CVE-2006-2453 for the additonal problems I found. This morning I also checked (and found issues and fixed) all the uses of: gtk_message_dialog_new gtk_message_dialog_format_secondary_text g_error I've attached a patch fixing all issues I found. New as of this morning are the changes / fixes to: app/display.c app/filedlg.c Regards, Hans p.s. There could still be other vararg printf like functions in dia which I didn't check. I'm in no way claiming this work is complete. With that said I'm not planning on doing any more auditing for printf like functions in dia in the near future. -------------- next part -------------- A non-text attachment was scrubbed... Name: dia-formatstring.patch Type: text/x-patch Size: 9181 bytes Desc: not available URL: From j.w.r.degoede at hhs.nl Tue May 23 11:22:13 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Tue, 23 May 2006 13:22:13 +0200 Subject: Dia format string vulnerabilities (correction) Message-ID: <4472F065.8000808@hhs.nl> Hi all, I was a bit short on time when I mailed my previous mail on this, so I didn't test (I didn't even compile) the patch. It turns out my previous patch contained one cut and paste error causing compilation to fail. The attached patch fixes this and has been tested. Regards, Hans -------------- next part -------------- A non-text attachment was scrubbed... Name: dia-0.95-formatstring.patch Type: text/x-patch Size: 9183 bytes Desc: not available URL: From bugzilla at redhat.com Tue May 23 14:27:53 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 23 May 2006 10:27:53 -0400 Subject: [Bug 192830] New: CVE-2006-2453 Additional dia format string flaws Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 Summary: CVE-2006-2453 Additional dia format string flaws Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: dia AssignedTo: j.w.r.degoede at hhs.nl ReportedBy: bressers at redhat.com QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com A number of additional format string issues were discovered by Hans de Goede and has been assigned the CVE id CVE-2006-2453. The fix is attachment 129852 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From sbrabec at suse.cz Tue May 23 15:27:58 2006 From: sbrabec at suse.cz (Stanislav Brabec) Date: Tue, 23 May 2006 17:27:58 +0200 Subject: Dia format string vulnerabilities (correction) In-Reply-To: <4472F065.8000808@hhs.nl> References: <4472F065.8000808@hhs.nl> Message-ID: <1148398078.23638.39.camel@hammer.suse.cz> Hans de Goede writes: > Hi all, > > I was a bit short on time when I mailed my previous mail on this, so I > didn't test (I didn't even compile) the patch. It turns out my previous > patch contained one cut and paste error causing compilation to fail. > > The attached patch fixes this and has been tested. And maybe these two extra chunks (at least in 0.94). Found by: grep '\(message_\(error\|warning\)\|g_\(print\|message\|warning\)\|dia_assert_true\) *([^_"]' $(find -name '*.c') -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SuSE CR, s. r. o. e-mail: sbrabec at suse.cz Drahobejlova 27 tel: +420 296 542 382 190 00 Praha 9 fax: +420 296 542 374 Czech Republic http://www.suse.cz/ -------------- next part -------------- A non-text attachment was scrubbed... Name: dia-cve-2006-2453-addon.patch Type: text/x-patch Size: 554 bytes Desc: not available URL: From bugzilla at redhat.com Tue May 23 17:23:26 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 23 May 2006 13:23:26 -0400 Subject: [Bug 191095] multiple vulnerabilities in thttpds htpasswd utility In-Reply-To: Message-ID: <200605231723.k4NHNQSI017530@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: multiple vulnerabilities in thttpds htpasswd utility https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095 tibbs at math.uh.edu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-security- | |list at redhat.com ------- Additional Comments From tibbs at math.uh.edu 2006-05-23 13:15 EST ------- Maybe we can pull htpasswd out of a current version of Apache. I recall that's where it comes from anyway. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue May 23 19:35:01 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 23 May 2006 15:35:01 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200605231935.k4NJZ1Na029071@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 j.w.r.degoede at hhs.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.95-3 ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-05-23 15:27 EST ------- Yes I know Hans de Goede thats me, the FE dia maintainer, thus also the person to whom this bug got assigned :) Anyways 0.95-3 has been build and published for FC-5 and devel fixing this. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From j.w.r.degoede at hhs.nl Tue May 23 19:33:26 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Tue, 23 May 2006 21:33:26 +0200 Subject: Dia format string vulnerabilities (correction) In-Reply-To: <1148398078.23638.39.camel@hammer.suse.cz> References: <4472F065.8000808@hhs.nl> <1148398078.23638.39.camel@hammer.suse.cz> Message-ID: <44736386.30201@hhs.nl> Stanislav Brabec wrote: > Hans de Goede writes: >> Hi all, >> >> I was a bit short on time when I mailed my previous mail on this, so I >> didn't test (I didn't even compile) the patch. It turns out my previous >> patch contained one cut and paste error causing compilation to fail. >> >> The attached patch fixes this and has been tested. > > And maybe these two extra chunks (at least in 0.94). > > Found by: > grep '\(message_\(error\|warning\)\|g_\(print\|message\|warning\)\|dia_assert_true\) *([^_"]' $(find -name '*.c') > > > > ------------------------------------------------------------------------ > > --- plug-ins/python/pydia-error.c > +++ plug-ins/python/pydia-error.c > @@ -98,7 +98,7 @@ > if (self->str) > g_string_append (self->str, s); > > - g_print (s); > + g_print ("%s", s); > > Py_INCREF(Py_None); > return Py_None; This one is already fixed in 0.95 > --- plug-ins/xfig/xfig-export.c > +++ plug-ins/xfig/xfig-export.c > @@ -263,7 +263,7 @@ > figWarn(XfigRenderer *renderer, int warning) > { > if (renderer->warnings[warning]) { > - message_warning(renderer->warnings[warning]); > + message_warning("%s", renderer->warnings[warning]); > renderer->warnings[warning] = NULL; > } > } Dang! missed this one Thats what you get when staring at many lines of code in over 100 files. Luckily this one isn't a security issue though. There is only one type of warning in the renderer->warnings array and this always gets initialised to: _("No more user-definable colors - using black") and is never changed, so this isn't a problem. Still I missed it. Regards, Hans From bugzilla at redhat.com Tue May 23 20:46:39 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 23 May 2006 16:46:39 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200605232046.k4NKkdah003777@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 ------- Additional Comments From bressers at redhat.com 2006-05-23 16:39 EST ------- Right, I added the text so nobody would mistakenly attribute me as the author of the fix. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed May 24 16:56:33 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 12:56:33 -0400 Subject: [Bug 192983] New: Remote termination security issue Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983 Summary: Remote termination security issue Product: Fedora Extras Version: fc5 Platform: All URL: http://www.securityfocus.com/archive/1/434908/30/0/threa ded OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: netpanzer AssignedTo: hugo at devin.com.br ReportedBy: tibbs at math.uh.edu QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com The netPanzer server is subject to a DOS; it can be made to crash remotely. Versions 0.8 and lower are vulnerable. http://www.securityfocus.com/archive/1/434908/30/0/threaded A CVE has not yet been assigned for this issue. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed May 24 17:19:47 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 13:19:47 -0400 Subject: [Bug 192983] Remote termination security issue In-Reply-To: Message-ID: <200605241719.k4OHJldu017392@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Remote termination security issue https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983 ------- Additional Comments From jkosin at beta.intcomgrp.com 2006-05-24 13:11 EST ------- I'm not sure if I'd call a game that terminates unexpectedly a security risk. But, to fix we should probably find out what values for FrameNum are acceptable and who is causing the problem to fail the ASSERT(). -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed May 24 17:20:07 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 13:20:07 -0400 Subject: [Bug 192990] New: CVE-2005-2295 - netpanzer server remote DOS Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192990 Summary: CVE-2005-2295 - netpanzer server remote DOS Product: Fedora Extras Version: fc5 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-2295 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: netpanzer AssignedTo: hugo at devin.com.br ReportedBy: tibbs at math.uh.edu QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com (from the CVE): NetPanzer 0.8 and earlier allows remote attackers to cause a denial of service (infinite loop) via a packet with a zero datablock size. It seems this has been fixed in upstream SVN, but no release has been made and unfortunately upstream webSVN seems not to be responding for me. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed May 24 17:25:28 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 13:25:28 -0400 Subject: [Bug 192983] Remote termination security issue In-Reply-To: Message-ID: <200605241725.k4OHPSVx017718@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Remote termination security issue https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983 ------- Additional Comments From tibbs at math.uh.edu 2006-05-24 13:17 EST ------- (In reply to comment #1) > I'm not sure if I'd call a game that terminates unexpectedly a security risk. Any less than we'd call a web server that terminates unexpectedly a security risk? But hey, if folks want to agree that we don't add remote termination issues for "noncritical" applications (along with a definition of just what is considered noncritical) then I'll abide by that. Does the perception change if a CVE is issued? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From tibbs at math.uh.edu Wed May 24 17:32:42 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 24 May 2006 12:32:42 -0500 Subject: Form of submitted security issues Message-ID: OK, I submitted a couple of security issues. Could someone comment on whether I followed the proper procedure, use the proper form for entries in the audit list, etc? Also, one of the bugs was noted as perhaps not being a security issue. I don't really want to be in the position of deciding what is and is not a security issue, but I'd like to know: is there agreement that I should not have entered one or both of those issues at all? - J< From smooge at gmail.com Wed May 24 17:36:11 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Wed, 24 May 2006 11:36:11 -0600 Subject: Form of submitted security issues In-Reply-To: References: Message-ID: <80d7e4090605241036r1982e0a9x70d0bf1a5de600d1@mail.gmail.com> n 5/24/06, Jason L Tibbitts III wrote: > OK, I submitted a couple of security issues. Could someone comment on > whether I followed the proper procedure, use the proper form for > entries in the audit list, etc? > A couple of things: Where did you submit them? If it was bugzilla, what are their numbers for review? > Also, one of the bugs was noted as perhaps not being a security issue. > I don't really want to be in the position of deciding what is and is > not a security issue, but I'd like to know: is there agreement that I > should not have entered one or both of those issues at all? > > - J< > > -- > Fedora-security-list mailing list > Fedora-security-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-security-list > -- Stephen J Smoogen. CSIRT/Linux System Administrator From bugzilla at redhat.com Wed May 24 17:37:20 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 13:37:20 -0400 Subject: [Bug 192990] CVE-2005-2295 - netpanzer server remote DOS In-Reply-To: Message-ID: <200605241737.k4OHbK5P018443@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2005-2295 - netpanzer server remote DOS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192990 ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-05-24 13:29 EST ------- Erm, Tibs isn't this a duplicate of 192983, I understand you want to have a bug with the CVE in the summary now that there is a CVE, but you could have just changed the summary of 192983. I'm inclined to close this as a dup of 192983, but Ill leave that up to you or Hugo. Hugo let me know if you need any assistence with this one. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed May 24 17:39:46 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 13:39:46 -0400 Subject: [Bug 192990] CVE-2005-2295 - netpanzer server remote DOS In-Reply-To: Message-ID: <200605241739.k4OHdkMW018686@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2005-2295 - netpanzer server remote DOS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192990 kaboom at oobleck.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kaboom at oobleck.net ------- Additional Comments From kaboom at oobleck.net 2006-05-24 13:31 EST ------- They're two different bugs -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From kaboom at oobleck.net Wed May 24 17:38:30 2006 From: kaboom at oobleck.net (Chris Ricker) Date: Wed, 24 May 2006 13:38:30 -0400 (EDT) Subject: Form of submitted security issues In-Reply-To: References: Message-ID: On Wed, 24 May 2006, Jason L Tibbitts III wrote: > OK, I submitted a couple of security issues. Could someone comment on > whether I followed the proper procedure, use the proper form for > entries in the audit list, etc? > > Also, one of the bugs was noted as perhaps not being a security issue. > I don't really want to be in the position of deciding what is and is > not a security issue, but I'd like to know: is there agreement that I > should not have entered one or both of those issues at all? I think it's fairly clear that a remotely produced crash of a daemon is a security problem with that daemon later, chris From tibbs at math.uh.edu Wed May 24 17:43:42 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 24 May 2006 12:43:42 -0500 Subject: Form of submitted security issues In-Reply-To: <80d7e4090605241036r1982e0a9x70d0bf1a5de600d1@mail.gmail.com> (Stephen John Smoogen's message of "Wed, 24 May 2006 11:36:11 -0600") References: <80d7e4090605241036r1982e0a9x70d0bf1a5de600d1@mail.gmail.com> Message-ID: >>>>> "SJS" == Stephen John Smoogen writes: SJS> Where did you submit them? To bugzilla, about ten minutes ago. This list was CC'd so the requests should have made it here, but perhaps you filter bugzilla stuff off to another folder. I also checked entries into the issue lists. The bugzilla IDs are 192983 and 192990; the lines added to the issue lists in CVS are: none VULNERABLE (netpanzer) bz#192983 CVE-2005-2295 VULNERABLE (netpanzer) bz#192990 - J< From bugzilla at redhat.com Wed May 24 17:57:59 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 13:57:59 -0400 Subject: [Bug 192990] CVE-2005-2295 - netpanzer server remote DOS In-Reply-To: Message-ID: <200605241757.k4OHvxqC019736@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2005-2295 - netpanzer server remote DOS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192990 ------- Additional Comments From tibbs at math.uh.edu 2006-05-24 13:50 EST ------- Yes, this is an older issue that I noticed when searching the CVE database for netpanzer isues. It has a fix in SVN although I wasn't able to extract it; the other bug has no fix that I know of. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed May 24 21:44:43 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 17:44:43 -0400 Subject: [Bug 192983] Remote termination security issue In-Reply-To: Message-ID: <200605242144.k4OLihgT006503@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Remote termination security issue https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983 ------- Additional Comments From hugo at devin.com.br 2006-05-24 17:37 EST ------- Any fixes would be good to include. I'm currently watching this issue, as I am not a good programmer, I can't look at the source code at the time. However I'll try to make some efforts on this. If you have any updates, tell me. Regarding bug #192990, I'll look, make a patch from svn and update the release. Thanks for the attention. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed May 24 21:44:50 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 17:44:50 -0400 Subject: [Bug 192990] CVE-2005-2295 - netpanzer server remote DOS In-Reply-To: Message-ID: <200605242144.k4OLio58006530@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2005-2295 - netpanzer server remote DOS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192990 ------- Additional Comments From hugo at devin.com.br 2006-05-24 17:37 EST ------- I'm currently looking this as I'm getting the updated source code from the svn repository. A patch and a new release will follow shortly. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed May 24 23:24:27 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 May 2006 19:24:27 -0400 Subject: [Bug 192983] CVE-2006-2575 Remote termination security issue In-Reply-To: Message-ID: <200605242324.k4ONORbq009999@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2575 Remote termination security issue https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983 bressers at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Remote termination security |CVE-2006-2575 Remote |issue |termination security issue -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bressers at redhat.com Wed May 24 23:30:27 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 24 May 2006 19:30:27 -0400 Subject: Form of submitted security issues In-Reply-To: Your message of "Wed, 24 May 2006 12:32:42 CDT." Message-ID: <200605242330.k4ONURkL027610@devserv.devel.redhat.com> > OK, I submitted a couple of security issues. Could someone comment on > whether I followed the proper procedure, use the proper form for > entries in the audit list, etc? It looks fine. Don't every worry about that, we keep these in CVS so it's easy to fix mistakes or disagreements. Something we should all keep in mind is the format and how to improve it. I've come to think that the 'bz' before each bug is a bit silly and a waste of space. > > Also, one of the bugs was noted as perhaps not being a security issue. > I don't really want to be in the position of deciding what is and is > not a security issue, but I'd like to know: is there agreement that I > should not have entered one or both of those issues at all? If it has a CVE id (which they both do now), it goes in the file. We can decide if something should be considered a security issue or not though. In those instances, we'll put an entry like this (assuming somehow a CVE id got assigned to someone claiming being losing to the computer is a security flaw). CVE-XXXX-XXXX ignore (netpanzer) losing to bots is not an issue -- JB From bugzilla at redhat.com Fri May 26 15:05:10 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 26 May 2006 11:05:10 -0400 Subject: [Bug 191095] multiple vulnerabilities in thttpds htpasswd utility In-Reply-To: Message-ID: <200605261505.k4QF5AWl008616@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: multiple vulnerabilities in thttpds htpasswd utility https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095 ------- Additional Comments From matthias at rpmforge.net 2006-05-26 10:57 EST ------- Yeah, I guess. Patch welcome if you want that done real quick :-) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri May 26 15:29:49 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 26 May 2006 11:29:49 -0400 Subject: [Bug 191095] multiple vulnerabilities in thttpds htpasswd utility In-Reply-To: Message-ID: <200605261529.k4QFTnX0010464@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: multiple vulnerabilities in thttpds htpasswd utility https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095 ------- Additional Comments From tibbs at math.uh.edu 2006-05-26 11:22 EST ------- I did some comparisons but the htpasswd.c in thttpd is so old that it doesn't resemble any of the code in the Apache versions I have around. There's one comment in the thttpd htpasswd.c that concerns me: /* Modified 29aug97 by Jef Poskanzer to accept new password on stdin, ** if stdin is a pipe or file. This is necessary for use from CGI. I don't know that the Apache htpasswd.c supports this; if not, it would have to be hacked back in. I'll attach the current Apache htpasswd.c. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri May 26 15:31:24 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 26 May 2006 11:31:24 -0400 Subject: [Bug 191095] multiple vulnerabilities in thttpds htpasswd utility In-Reply-To: Message-ID: <200605261531.k4QFVO40010573@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: multiple vulnerabilities in thttpds htpasswd utility https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095 ------- Additional Comments From tibbs at math.uh.edu 2006-05-26 11:23 EST ------- Created an attachment (id=130028) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=130028&action=view) htpasswd.c from current Apache -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 27 23:32:25 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 27 May 2006 19:32:25 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200605272332.k4RNWP8O028722@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 deisenst at gtw.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugs at fedoralegacy.org ------- Additional Comments From deisenst at gtw.net 2006-05-27 19:24 EST ------- Have a question. If this has been fixed for FC5 (or, I guess the technically correct moniker would be "FE5"), and this is a security issue -- so people who need to know (and don't have yum automatically set to update their FC5 systems) DO know that this has been fixed -- should there not be an announcement for this fix and the CVE-2006-2480 fix (in Bug 192535) published to the fedora-package-announce list, like Caolan McNamara's announcement here?: http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00119.html Not everybody has yum working to automatically update their FC5 installs, so unless there is an announcement somewhere, how will they know to update their dia to dia-0.95-3?? Another unrelated question: Do you mind if we in Fedora Legacy backport the fixes you made for maintaining the older legacy versions of dia? If so, may we include you, Hans, in the cc: list for such a bugzilla entry? The open Bugzilla Bug Fedora Legacy has for dia currently is Bug #190942, in which we also discovered that the CVE-2005-2966 may not have been covered either here, in FC, or in RHEL... (This CVE may not affect FedoraExtras, but may affect Fedora Core 4, RHEL 4/3/2.x?...) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat May 27 23:47:23 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 27 May 2006 19:47:23 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200605272347.k4RNlNMe029547@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 deisenst at gtw.net changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |190942 nThis| | -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun May 28 09:57:11 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 28 May 2006 05:57:11 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200605280957.k4S9vBbY000396@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-05-28 05:49 EST ------- (In reply to comment #3) > Have a question. If this has been fixed for FC5 (or, I guess the technically > correct moniker would be "FE5"), and this is a security issue -- so people who > need to know (and don't have yum automatically set to update their FC5 systems) > DO know that this has been fixed -- should there not be an announcement for this > fix and the CVE-2006-2480 fix (in Bug 192535) published to the > fedora-package-announce list, like Caolan McNamara's announcement here?: > > http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00119.html > > Not everybody has yum working to automatically update their FC5 installs, so > unless there is an announcement somewhere, how will they know to update their > dia to dia-0.95-3?? > I agree, An announcement should be sent for this and for bug 192535. I've asked the Fedora Security Response Team to post such an announcement in bug 192535, but no response sofar. > Another unrelated question: Do you mind if we in Fedora Legacy backport the > fixes you made for maintaining the older legacy versions of dia? Not at all I've also submitted the patch upstream where it has been committed into CVS as far as I'm concerned the patch is under the same license as dia. > If so, may we > include you, Hans, in the cc: list for such a bugzilla entry? The open Bugzilla > Bug Fedora Legacy has for dia currently is Bug #190942 Feel free to add me to the CC. > In which we also > discovered that the CVE-2005-2966 may not have been covered either here, in FC, > or in RHEL... (This CVE may not affect FedoraExtras, but may affect Fedora Core > 4, RHEL 4/3/2.x?...) I think this CVE was 0.95 pre release specific, but I'm not sure I did a diff between the affected and the unaffected dia 0.95-pre releases and both the total diff and the relevant part of the diff were small and the fix was small and sane, unfortunatly I didn't keep the fix around as a seperate patch, but backporting it if it does affect older versions should be simple. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun May 28 16:22:33 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 28 May 2006 12:22:33 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200605281622.k4SGMXUA010553@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 ------- Additional Comments From dennis at ausil.us 2006-05-28 12:14 EST ------- (In reply to comment #4) > I agree, An announcement should be sent for this and for bug 192535. I've asked > the Fedora Security Response Team to post such an announcement in bug 192535, > but no response sofar. Hans, you need to send your own announcements. post them to the list and Jesse Keating will review and send it through. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun May 28 17:15:53 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 28 May 2006 13:15:53 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200605281715.k4SHFrSC012077@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-05-28 13:08 EST ------- Ok, Template? Also is this procedure described anywhere? If I don't know while I'm subscribed to fedora-security-list and somewhat interested security I doubt many others know. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun May 28 17:21:06 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 28 May 2006 13:21:06 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200605281721.k4SHL62Z012239@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 ------- Additional Comments From dennis at ausil.us 2006-05-28 13:13 EST ------- https://www.redhat.com/archives/fedora-package-announce/2006-May/msg00095.html thats from what i sent for kphone. this is something that is not described anywhere. The three announcements I sent for kphone are the only extras announcements ever. I would base it on that. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun May 28 17:31:26 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 28 May 2006 13:31:26 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200605281731.k4SHVQa7012402@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830 ------- Additional Comments From ville.skytta at iki.fi 2006-05-28 13:23 EST ------- I don't think anyone knows more about the status of announcements/templates than what was recently discussed in the thread starting from https://www.redhat.com/archives/fedora-security-list/2006-May/msg00066.html -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From j.w.r.degoede at hhs.nl Tue May 30 11:23:55 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Tue, 30 May 2006 13:23:55 +0200 Subject: (Small) software that needs code audit Message-ID: <447C2B4B.80900@hhs.nl> Hi, As some of you already know I'm a computer science teacher at a Dutch university. Currently I'm giving a course about security. For my next practical lesson I want my students todo an audit of a small piece of C-code. Nothing fancy really just looking for sprintf instead of snprintf, gets instead of fgets, etc. And formatstring vulnerabilities. Does anyone know of some (small!) piece of software in Fedora (Extras) that could benefit from this? And are there any other simple checks my students could do? Any findings will of course be published. Thanks & Regards, Hans From bressers at redhat.com Tue May 30 12:31:01 2006 From: bressers at redhat.com (Josh Bressers) Date: Tue, 30 May 2006 08:31:01 -0400 Subject: (Small) software that needs code audit In-Reply-To: Your message of "Tue, 30 May 2006 13:23:55 +0200." <447C2B4B.80900@hhs.nl> Message-ID: <200605301231.k4UCV11X009451@devserv.devel.redhat.com> > Hi, > > As some of you already know I'm a computer science teacher at a Dutch > university. Currently I'm giving a course about security. > > For my next practical lesson I want my students todo an audit of a small > piece of C-code. Nothing fancy really just looking for sprintf instead > of snprintf, gets instead of fgets, etc. And formatstring vulnerabilities. > > Does anyone know of some (small!) piece of software in Fedora (Extras) > that could benefit from this? > > And are there any other simple checks my students could do? Checking for programs that call open(2) with O_CREAT and don't specify a mode. It's a terribly easy thing to look for and can be an annoying bug. As for having students do it, it has the advantage of making them do some code analysis since not all botched open calls are security issues. If I call open as such open("/tmp/feh", O_CREAT); I end with a file called /tmp/feh with nearly random permissions (bits are sucked off the stack to set the permissions). It's possible the file could be written as world writable (or many other permissions, I'll let you think about the possibilities). I should have called open like this open("/tmp/feh", O_CREAT, 0); Or if I don't want to change the permissions later, I can supply a non zero mode. It's also a fine idea to look for improper usage of temporary files. Using mktemp(3) instead of mkstemp(3). If I could suggest part of your class teaches responsible and sane disclosure. A while back another CS teacher did a similar thing with a class, and at the end of the class dumped a big email to full-disclosure detailing the problems. Luckily none of them were that terribly critical, but there was much scrambling since triaging 30+ issues is painful. Part of finding and fixing security issues is communicating the fixes upstream and deciding what to do about disclosure. I love hearing about classes such as this, good luck :) -- JB From wart at kobold.org Wed May 31 14:46:32 2006 From: wart at kobold.org (Wart) Date: Wed, 31 May 2006 07:46:32 -0700 Subject: (Small) software that needs code audit In-Reply-To: <447C2B4B.80900@hhs.nl> References: <447C2B4B.80900@hhs.nl> Message-ID: <447DAC48.4020707@kobold.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hans de Goede wrote: > Hi, > > As some of you already know I'm a computer science teacher at a Dutch > university. Currently I'm giving a course about security. > > For my next practical lesson I want my students todo an audit of a small > piece of C-code. Nothing fancy really just looking for sprintf instead > of snprintf, gets instead of fgets, etc. And formatstring vulnerabilities. > > Does anyone know of some (small!) piece of software in Fedora (Extras) > that could benefit from this? > > And are there any other simple checks my students could do? > > Any findings will of course be published. Many of the games in the bsd-games package are fairly small (one or two .c files) and could probably use an audit. Since most of them don't run setgid, and drop any gid privileges before doing anything anyway, security hasn't been an issue with them. - --Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEfaxGDeYlPfs40g8RAqRPAJ9cpNgcMKsWH+RcUgUZ70LXR/cl6wCfZ486 tcVCdQyTg+KEUAE3GnxAD5o= =OxCz -----END PGP SIGNATURE-----