Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 12 Apr 2012 17:36:54 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: rpm security issues (CVE-2012-0815, CVE-2012-0060, CVE-2012-0061)

Mesut,

Red Hat folks did some fuzzing of RPM recently, and found and fixed some
security issues as a result:

http://www.openwall.com/lists/oss-security/2012/04/03/4

Since Owl currently uses RPM based off a version similar to what Red Hat
had in RHEL4 (yes, that's pretty old), I suggest that we take a look at
Red Hat's update for RHEL4.  Luckily, they made one:

https://rhn.redhat.com/errata/RHSA-2012-0451.html#Red%20Hat%20Enterprise%20Linux%20ELS%20(v.%204)

We need to download and review:

ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/rpm-4.3.3-36_nonptl.el4.src.rpm
MD5: 145611198f92ea1b652ae2f62457299c
SHA-256: 8b9fef896bde9b276b4e7af93afae83b195cd35e9a7a139c6644489def1abf05

(I got the URL from their e-mailed advisory on the rhsa-announce list,
which I'm subscribed to.)

Then produce patches for our package in accordance with our conventions
(see doc/CONVENTIONS), update the spec file, do test builds, etc.

Ideally, also find or re-create corrupted RPMs that trigger the issues
and make sure the issues were in fact triggerable before patching and
are no longer triggerable after patching (presumably correctly fixed).

Can you work on this, please?

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.