rpms/am-utils/devel am-utils-6.1.5-expn-temp.patch, NONE, 1.1 am-utils.spec, 1.46, 1.47
Karel Zak (kzak)
fedora-extras-commits at redhat.com
Thu May 29 10:53:06 UTC 2008
Author: kzak
Update of /cvs/pkgs/rpms/am-utils/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17656
Modified Files:
am-utils.spec
Added Files:
am-utils-6.1.5-expn-temp.patch
Log Message:
* Thu May 29 2008 Karel Zak <kzak at redhat.com> 5:6.1.5-10
- fix #435420 - CVE-2008-1078 am-utils: insecure usage of temporary files
am-utils-6.1.5-expn-temp.patch:
--- NEW FILE am-utils-6.1.5-expn-temp.patch ---
CVE-2008-1078 am-utils: insecure usage of temporary files
Addresses-Red-Hat-Bugzilla: #435420
Signed-off-by: Karel Zak <kzak at redhat.com>
diff -up am-utils-6.1.5/scripts/expn.in.kzak am-utils-6.1.5/scripts/expn.in
--- am-utils-6.1.5/scripts/expn.in.kzak 2008-05-29 12:43:19.000000000 +0200
+++ am-utils-6.1.5/scripts/expn.in 2008-05-29 12:44:20.000000000 +0200
@@ -9,6 +9,7 @@
# hardcoded constants, should work fine for BSD-based systems
#require 'sys/socket.ph'; # perl 4
use Socket; # perl 5
+use Fcntl
$AF_INET = &AF_INET;
$SOCK_STREAM = &SOCK_STREAM;
@@ -1009,7 +1010,7 @@ sub mxlookup
}
$0 = "$av0 - nslookup of $server";
- open(T,">/tmp/expn$$") || die "open > /tmp/expn$$: $!\n";
+ sysopen(T,"/tmp/expn$$", O_EXCL | O_CREAT) || die "open > /tmp/expn$$: $!\n";
print T "set querytype=MX\n";
print T "$server\n";
close(T);
Index: am-utils.spec
===================================================================
RCS file: /cvs/pkgs/rpms/am-utils/devel/am-utils.spec,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- am-utils.spec 21 May 2008 19:20:26 -0000 1.46
+++ am-utils.spec 29 May 2008 10:52:22 -0000 1.47
@@ -1,7 +1,7 @@
Summary: Automount utilities including an updated version of Amd
Name: am-utils
Version: 6.1.5
-Release: 9%{?dist}
+Release: 10%{?dist}
License: BSD
Epoch: 5
Group: System Environment/Daemons
@@ -44,6 +44,8 @@
Patch3: am-utils-6.1.5-UTS_RELEASE.patch
# Build system bugfixes
Patch4: am-utils-6.1.5-buildsys.patch
+# 435420 - CVE-2008-1078 am-utils: insecure usage of temporary files
+Patch5: am-utils-6.1.5-expn-temp.patch
# We need to filter out some perl requirements for now.
%define _use_internal_dependency_generator 0
@@ -66,7 +68,8 @@
%patch1 -p1
%patch2 -p1
%patch3 -p1
-%patch4 -p1 -b .kzak
+%patch4 -p1
+%patch5 -p1
find_requires=%{old_find_requires}
echo "$find_requires | grep -v lostaltmail.conf" > find-requires
@@ -171,6 +174,9 @@
%{_libdir}/libamu.so*
%changelog
+* Thu May 29 2008 Karel Zak <kzak at redhat.com> 5:6.1.5-10
+- fix #435420 - CVE-2008-1078 am-utils: insecure usage of temporary files
+
* Tue May 20 2008 Karel Zak <kzak at redhat.com> 5:6.1.5-9
- spec file cleanup according to rpmlint
- fix autotools stuff
More information about the fedora-extras-commits
mailing list