Date: Thu, 12 Apr 2012 17:36:54 +0400 From: Solar Designer <solar@...nwall.com> To: owl-dev@...ts.openwall.com Subject: rpm security issues (CVE-2012-0815, CVE-2012-0060, CVE-2012-0061) Mesut, Red Hat folks did some fuzzing of RPM recently, and found and fixed some security issues as a result: http://www.openwall.com/lists/oss-security/2012/04/03/4 Since Owl currently uses RPM based off a version similar to what Red Hat had in RHEL4 (yes, that's pretty old), I suggest that we take a look at Red Hat's update for RHEL4. Luckily, they made one: https://rhn.redhat.com/errata/RHSA-2012-0451.html#Red%20Hat%20Enterprise%20Linux%20ELS%20(v.%204) We need to download and review: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/rpm-4.3.3-36_nonptl.el4.src.rpm MD5: 145611198f92ea1b652ae2f62457299c SHA-256: 8b9fef896bde9b276b4e7af93afae83b195cd35e9a7a139c6644489def1abf05 (I got the URL from their e-mailed advisory on the rhsa-announce list, which I'm subscribed to.) Then produce patches for our package in accordance with our conventions (see doc/CONVENTIONS), update the spec file, do test builds, etc. Ideally, also find or re-create corrupted RPMs that trigger the issues and make sure the issues were in fact triggerable before patching and are no longer triggerable after patching (presumably correctly fixed). Can you work on this, please? Thanks, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.