rpms/am-utils/devel am-utils-6.1.5-expn-temp.patch, NONE, 1.1 am-utils.spec, 1.46, 1.47

Karel Zak (kzak) fedora-extras-commits at redhat.com
Thu May 29 10:53:06 UTC 2008 

Author: kzak

Update of /cvs/pkgs/rpms/am-utils/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17656

Modified Files:
	am-utils.spec 
Added Files:
	am-utils-6.1.5-expn-temp.patch 
Log Message:
* Thu May 29 2008 Karel Zak <kzak at redhat.com> 5:6.1.5-10
- fix #435420 - CVE-2008-1078 am-utils: insecure usage of temporary files


am-utils-6.1.5-expn-temp.patch:

--- NEW FILE am-utils-6.1.5-expn-temp.patch ---

CVE-2008-1078 am-utils: insecure usage of temporary files

Addresses-Red-Hat-Bugzilla: #435420
Signed-off-by: Karel Zak <kzak at redhat.com>

diff -up am-utils-6.1.5/scripts/expn.in.kzak am-utils-6.1.5/scripts/expn.in
--- am-utils-6.1.5/scripts/expn.in.kzak	2008-05-29 12:43:19.000000000 +0200
+++ am-utils-6.1.5/scripts/expn.in	2008-05-29 12:44:20.000000000 +0200
@@ -9,6 +9,7 @@
 # hardcoded constants, should work fine for BSD-based systems
 #require 'sys/socket.ph';	# perl 4
 use Socket;			# perl 5
+use Fcntl
 $AF_INET = &AF_INET;
 $SOCK_STREAM = &SOCK_STREAM;
 
@@ -1009,7 +1010,7 @@ sub mxlookup
 	}
 
 	$0 = "$av0 - nslookup of $server";
-	open(T,">/tmp/expn$$") || die "open > /tmp/expn$$: $!\n";
+	sysopen(T,"/tmp/expn$$", O_EXCL | O_CREAT) || die "open > /tmp/expn$$: $!\n";
 	print T "set querytype=MX\n";
 	print T "$server\n";
 	close(T);


Index: am-utils.spec
===================================================================
RCS file: /cvs/pkgs/rpms/am-utils/devel/am-utils.spec,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- am-utils.spec	21 May 2008 19:20:26 -0000	1.46
+++ am-utils.spec	29 May 2008 10:52:22 -0000	1.47
@@ -1,7 +1,7 @@
 Summary: Automount utilities including an updated version of Amd
 Name: am-utils
 Version: 6.1.5
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: BSD
 Epoch: 5
 Group: System Environment/Daemons
@@ -44,6 +44,8 @@
 Patch3: am-utils-6.1.5-UTS_RELEASE.patch
 # Build system bugfixes
 Patch4: am-utils-6.1.5-buildsys.patch
+# 435420 - CVE-2008-1078 am-utils: insecure usage of temporary files
+Patch5: am-utils-6.1.5-expn-temp.patch
 
 # We need to filter out some perl requirements for now.
 %define _use_internal_dependency_generator 0
@@ -66,7 +68,8 @@
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1 -b .kzak
+%patch4 -p1
+%patch5 -p1
 
 find_requires=%{old_find_requires}
 echo "$find_requires | grep -v lostaltmail.conf" > find-requires
@@ -171,6 +174,9 @@
 %{_libdir}/libamu.so*
 
 %changelog
+* Thu May 29 2008 Karel Zak <kzak at redhat.com> 5:6.1.5-10
+- fix #435420 - CVE-2008-1078 am-utils: insecure usage of temporary files
+
 * Tue May 20 2008 Karel Zak <kzak at redhat.com> 5:6.1.5-9
 - spec file cleanup according to rpmlint
 - fix autotools stuff

More information about the fedora-extras-commits mailing list