[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fedora] Schwachstelle in texinfo - FEDORA-2006-1203
-----BEGIN PGP SIGNED MESSAGE-----
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
CVE-2005-3011 - Race Condition in texindex sort_offline()
Die Funktion sort_offline() im Programm texindex legt temporaere
Dateien mit vorhersagbaren Namen an und ueberprueft nicht, ob eine
Datei unter diesem Namen bzw. Pfad bereits existiert. Einem lokalen
Angreifer wird es somit durch einen Symlink-Angriff moeglich,
beliebige Dateien mit den Rechten des Anwenders zu ueberschreiben.
Betroffen sind die folgenden Software Pakete und Plattformen:
Paket texinfo
Fedora Core 6
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
https://www.redhat.com/archives/fedora-package-announce/2006-November/msg00068.html
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Andreas Bunten, DFN-CERT
- --
Andreas Bunten (CSIRT), DFN-CERT Services GmbH
https://www.dfn-cert.de/, +49 40 808077-617
- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2006-1203
2006-11-09
- ---------------------------------------------------------------------
Product : Fedora Core 6
Name : texinfo
Version : 4.8
Release : 14.fc6
Summary : Tools needed to create Texinfo format documentation files.
Description :
Texinfo is a documentation system that can produce both online
information and printed output from a single source file. The GNU
Project uses the Texinfo file format for most of its documentation.
Install texinfo if you want a documentation system for producing both
online and print documentation from the same source file and/or if you
are going to write documentation for the GNU Project.
- ---------------------------------------------------------------------
* Sun Nov 5 2006 Miloslav Trmac <mitr@xxxxxxxxxx> - 4.8-14
- - Remove off-line sorting from texindex (fixes CVE 2006-4810)
* Mon Oct 9 2006 Miloslav Trmac <mitr@xxxxxxxxxx> - 4.8-13
- - Don't use mode 0666 for the texindex temporary files
* Mon Oct 9 2006 Miloslav Trmac <mitr@xxxxxxxxxx> - 4.8-12
- - Don't leave around temporary files used by texindex
- - Add missing error handling to texinfo-CAN-2005-3011.patch
* Wed Jul 12 2006 Jesse Keating <jkeating@xxxxxxxxxx> - 4.8-11.1
- - rebuild
* Sat Mar 25 2006 Miloslav Trmac <mitr@xxxxxxxxxx> - 4.8-11
- - Split texinfo-tex from the texinfo package (#178406)
- - Ship COPYING, don't ship INSTALL
* Sun Mar 19 2006 Miloslav Trmac <mitr@xxxxxxxxxx> - 4.8-10
- - Remove incorrect Prefix:
- - Drop info/README
- - Convert change log to UTF-8
* Fri Feb 10 2006 Jesse Keating <jkeating@xxxxxxxxxx> - 4.8-9.2
- - bump again for double-long bug on ppc(64)
* Tue Feb 7 2006 Jesse Keating <jkeating@xxxxxxxxxx> - 4.8-9.1
- - rebuilt for new gcc4.1 snapshot and glibc changes
* Mon Jan 16 2006 Miloslav Trmac <mitr@xxxxxxxxxx> - 4.8-9
- - Fix handling of bzip2'ed files (#128637)
* Mon Jan 16 2006 Miloslav Trmac <mitr@xxxxxxxxxx> - 4.8-8
- - Ignore scriptlet failures with --excludedocs (#166958)
- - Don't link texindex to zlib, don't pretend to link to zlib statically
* Fri Dec 9 2005 Jesse Keating <jkeating@xxxxxxxxxx>
- - rebuilt
* Fri Oct 14 2005 Tim Waugh <twaugh@xxxxxxxxxx> 4.8-7
- - Apply patch to fix CAN-2005-3011 (bug #169585).
* Thu Jun 9 2005 Tim Waugh <twaugh@xxxxxxxxxx> 4.8-6
- - Ship texi2pdf man page, taken from tetex-2.0.2 RPM.
* Tue Jun 7 2005 Tim Waugh <twaugh@xxxxxxxxxx> 4.8-5
- - Ship texi2pdf (bug #147271).
* Mon Mar 14 2005 Tim Waugh <twaugh@xxxxxxxxxx> 4.8-4
- - Requires tetex (bug #151075).
* Wed Mar 2 2005 Tim Waugh <twaugh@xxxxxxxxxx> 4.8-3
- - Rebuild for new GCC.
* Mon Feb 7 2005 Tim Waugh <twaugh@xxxxxxxxxx> 4.8-2
- - Don't ship texi2pdf (bug #147271).
* Thu Feb 3 2005 Tim Waugh <twaugh@xxxxxxxxxx> 4.8-1
- - 4.8.
* Thu Dec 30 2004 Tim Waugh <twaugh@xxxxxxxxxx> 4.7-6
- - Fixed URL (bug #143729).
* Thu Aug 12 2004 Tim Waugh <twaugh@xxxxxxxxxx> 4.7-5
- - Rebuilt.
* Wed Jul 7 2004 Tim Waugh <twaugh@xxxxxxxxxx> 4.7-4
- - Build for FC2.
* Tue Jun 29 2004 Tim Waugh <twaugh@xxxxxxxxxx> 4.7-3
- - Fix grouping in user-defined macros.
* Mon Jun 28 2004 Tim Waugh <twaugh@xxxxxxxxxx> 4.7-2
- - Build requires ncurses-devel (bug #126600).
* Fri Jun 25 2004 Tim Waugh <twaugh@xxxxxxxxxx> 4.7-1
- - 4.7.
* Tue Jun 15 2004 Elliot Lee <sopwith@xxxxxxxxxx>
- - rebuilt
* Tue Mar 2 2004 Tim Waugh <twaugh@xxxxxxxxxx>
- - Fixed compiler warning (bug #117097).
* Sat Feb 21 2004 Tim Waugh <twaugh@xxxxxxxxxx> 4.6-3
- - Build requires zlib-devel (bug #116436).
* Fri Feb 13 2004 Elliot Lee <sopwith@xxxxxxxxxx>
- - rebuilt
* Tue Dec 2 2003 Tim Waugh <twaugh@xxxxxxxxxx> 4.6-1
- - Fixed compiler warning (bug #111279).
- - 4.6.
* Tue Jun 17 2003 Tim Waugh <twaugh@xxxxxxxxxx> 4.5-3
- - Rebuilt.
* Wed Jun 4 2003 Elliot Lee <sopwith@xxxxxxxxxx>
- - rebuilt
* Tue May 6 2003 Tim Waugh <twaugh@xxxxxxxxxx>
- - No longer need 3.12h-fix patch.
* Tue Apr 29 2003 Tim Waugh <twaugh@xxxxxxxxxx> 4.5-1
- - 4.5 (bug #88428). Update zlib patch.
- - Add URL tag (bug #54613).
* Wed Jan 22 2003 Tim Powers <timp@xxxxxxxxxx> 4.3-5
- - rebuilt
* Tue Jan 7 2003 Tim Waugh <twaugh@xxxxxxxxxx> 4.3-4
- - Fix up spec_install_post to strip debug info out to separate package
(bug #81226).
* Thu Dec 26 2002 Florian La Roche <Florian.LaRoche@xxxxxxxxx> 4.3-3
- - Make /usr/share/info/dir a real file and remove /etc/info-dir, that
file should be unused for a long time.
* Thu Nov 21 2002 Elliot Lee <sopwith@xxxxxxxxxx> 4.3-2
- - Don't strip files here (rpm takes care of it)
- - Use pushd/popd instead of enclosing things in (), to make
error detection easier
- - Use _smp_mflags
* Tue Nov 19 2002 Tim Waugh <twaugh@xxxxxxxxxx> 4.3-1
- - 4.3.
- - No longer need fileextension or malloccheck patches.
- - Update zlib patch.
* Wed Oct 23 2002 Tim Waugh <twaugh@xxxxxxxxxx> 4.2-6
- - Don't install files not packaged.
- - Fix file list (bug #55816).
* Mon Sep 2 2002 Bernhard Rosenkraenzer <bero@xxxxxxxxxx> 4.2-5
- - Fix crash w/ MALLOC_CHECK_ == 2 (#72831)
* Tue Jul 2 2002 Bernhard Rosenkraenzer <bero@xxxxxxxxxx> 4.2-4
- - Add infokey (#67728)
* Fri Jun 21 2002 Tim Powers <timp@xxxxxxxxxx>
- - automated rebuild
* Thu May 23 2002 Tim Powers <timp@xxxxxxxxxx>
- - automated rebuild
* Tue Apr 23 2002 Florian La Roche <Florian.LaRoche@xxxxxxxxx>
- - 4.2
* Tue Mar 5 2002 Bernhard Rosenkraenzer <bero@xxxxxxxxxx> 4.1-1
- - 4.1 (#60714)
* Wed Jan 9 2002 Tim Powers <timp@xxxxxxxxxx>
- - automated rebuild
* Tue Aug 7 2001 Bernhard Rosenkraenzer <bero@xxxxxxxxxx> 4.0b-3
- - Don't create the desktop file - we don't install it anyway.
* Sat Jul 21 2001 Tim Powers <timp@xxxxxxxxxx>
- - remove the info viewer from the menus, it's cluttering things
* Wed May 9 2001 Florian La Roche <Florian.LaRoche@xxxxxxxxx>
- - 4.0b
* Tue Apr 24 2001 Bernhard Rosenkraenzer <bero@xxxxxxxxxx> 4.0a-1
- - Update to 4.0a, the patch looks sane
* Fri Feb 23 2001 Trond Eivind Glomsrød <teg@xxxxxxxxxx>
- - langify
- - don't create desktop file in spec file
* Tue Jan 23 2001 Preston Brown <pbrown@xxxxxxxxxx>
- - danish translation added
* Tue Dec 12 2000 Bernhard Rosenkraenzer <bero@xxxxxxxxxx>
- - Rebuild to get rid of 0777 dirs
* Wed Nov 8 2000 Bernhard Rosenkraenzer <bero@xxxxxxxxxx>
- - Fix recognition of .?o extensions in texi2dvi, Bug #20498
* Thu Sep 7 2000 Jeff Johnson <jbj@xxxxxxxxxx>
- - FHS packaging (64bit systems need to use %_libdir not /usr/lib).
* Sat Aug 19 2000 Trond Eivind Glomsrød <teg@xxxxxxxxxx>
- - really do it - #16120
* Mon Aug 14 2000 Helge Deller <hdeller@xxxxxxxxxx>
- - gzip man-pages, #16120
* Mon Aug 7 2000 Tim Waugh <twaugh@xxxxxxxxxx>
- - List man-pages in %files.
* Fri Aug 4 2000 Bernhard Rosenkraenzer <bero@xxxxxxxxxx>
- - Add Swedish and German translations to desktop file, Bug #15366
* Thu Aug 3 2000 Bernhard Rosenkraenzer <bero@xxxxxxxxxx>
- - mark /etc/info-dir %verify(not md5 size mime), Bug #14826
* Wed Jul 12 2000 Prospector <bugzilla@xxxxxxxxxx>
- - automatic rebuild
* Wed Jun 28 2000 Bill Nottingham <notting@xxxxxxxxxx>
- - fix build wackiness with info page compressing
* Fri Jun 16 2000 Bill Nottingham <notting@xxxxxxxxxx>
- - fix info-dir symlink
* Thu May 18 2000 Preston Brown <pbrown@xxxxxxxxxx>
- - use FHS paths for info.
* Fri Mar 24 2000 Bernhard Rosenkraenzer <bero@xxxxxxxxxx>
- - rebuild with current ncurses
* Wed Feb 9 2000 Preston Brown <pbrown@xxxxxxxxxx>
- - wmconfig -> desktop
* Wed Feb 2 2000 Cristian Gafton <gafton@xxxxxxxxxx>
- - fix descriptions
* Wed Jan 26 2000 Bernhard Rosenkraenzer <bero@xxxxxxxxxx>
- - move info-stnd.info* to the info package, /sbin/install-info it
in %post (Bug #6632)
* Thu Jan 13 2000 Jeff Johnson <jbj@xxxxxxxxxx>
- - recompile to eliminate ncurses foul-up.
* Tue Nov 9 1999 Bernhard Rosenkränzer <bero@xxxxxxxxxx>
- - 4.0
- - handle RPM_OPT_FLAGS
* Tue Sep 7 1999 Cristian Gafton <gafton@xxxxxxxxxx>
- - import version 3.12h into 6.1 tree from HJLu
* Sun Mar 21 1999 Cristian Gafton <gafton@xxxxxxxxxx>
- - auto rebuild in the new build environment (release 4)
* Wed Mar 17 1999 Erik Troan <ewt@xxxxxxxxxx>
- - hacked to use zlib to get rid of the requirement on gzip
* Wed Mar 17 1999 Matt Wilson <msw@xxxxxxxxxx>
- - install-info prerequires gzip
* Thu Mar 11 1999 Cristian Gafton <gafton@xxxxxxxxxx>
- - version 3.12f
- - make /usr/info/dir to be a %config(noreplace)
* Wed Nov 25 1998 Jeff Johnson <jbj@xxxxxxxxxx>
- - rebuild to fix docdir perms.
* Thu Sep 24 1998 Cristian Gafton <gafton@xxxxxxxxxx>
- - fix allocation problems in install-info
* Wed Sep 23 1998 Jeff Johnson <jbj@xxxxxxxxxx>
- - /sbin/install-info should not depend on /usr/lib/libz.so.1 -- statically
link with /usr/lib/libz.a.
* Fri Aug 7 1998 Erik Troan <ewt@xxxxxxxxxx>
- - added a prereq of bash to the info package -- see the comment for a
description of why that was done
* Tue Jun 9 1998 Prospector System <bugs@xxxxxxxxxx>
- - translations modified for de
* Tue Jun 9 1998 Jeff Johnson <jbj@xxxxxxxxxx>
- - add %attr to permit non-root build.
* Thu May 7 1998 Prospector System <bugs@xxxxxxxxxx>
- - translations modified for de, fr, tr
* Sun Apr 12 1998 Cristian Gafton <gafton@xxxxxxxxxx>
- - added %clean
- - manhattan build
* Wed Mar 4 1998 Cristian Gafton <gafton@xxxxxxxxxx>
- - upgraded to version 3.12
- - added buildroot
* Sun Nov 9 1997 Donnie Barnes <djb@xxxxxxxxxx>
- - moved /usr/info/dir to /etc/info-dir and made /usr/info/dir a
symlink to /etc/info-dir.
* Wed Oct 29 1997 Donnie Barnes <djb@xxxxxxxxxx>
- - added wmconfig entry for info
* Wed Oct 1 1997 Donnie Barnes <djb@xxxxxxxxxx>
- - stripped /sbin/install-info
* Mon Sep 22 1997 Erik Troan <ewt@xxxxxxxxxx>
- - added info-dir to filelist
* Sun Sep 14 1997 Erik Troan <ewt@xxxxxxxxxx>
- - added patch from sopwith to let install-info understand gzip'ed info files
- - use skeletal dir file from texinfo tarball (w/ bash entry to reduce
dependency chain) instead (and install-info command everywhere else)
- - patches install-info to handle .gz names correctly
* Tue Jun 3 1997 Erik Troan <ewt@xxxxxxxxxx>
- - built against glibc
* Tue Feb 25 1997 Erik Troan <ewt@xxxxxxxxxx>
- - patched install-info.c for glibc.
- - added /usr/bin/install-info to the filelist
* Tue Feb 18 1997 Michael Fulbright <msf@xxxxxxxxxx>
- - upgraded to version 3.9.
- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/
ff4f6fdfe252031027249a0876907b07fa2ed623 SRPMS/texinfo-4.8-14.fc6.src.rpm
ff4f6fdfe252031027249a0876907b07fa2ed623 noarch/texinfo-4.8-14.fc6.src.rpm
927d61dd8b625b8cbc7c59863d38e3ac1dca58d4 ppc/debug/texinfo-debuginfo-4.8-14.fc6.ppc.rpm
48b36e3701fa9edef36d65ea302560fc34a0ce78 ppc/texinfo-4.8-14.fc6.ppc.rpm
618fbbd10e1b41984d1211df5cce50851e4cdc23 ppc/texinfo-tex-4.8-14.fc6.ppc.rpm
c90758684f2477d39339e613115c1f5cfae8a858 ppc/info-4.8-14.fc6.ppc.rpm
7ab901ef95087fbaa4e9af3dd244631cb025d1dd x86_64/texinfo-4.8-14.fc6.x86_64.rpm
2954f9dbecf9693b56399eab5b1dca91b7069bdb x86_64/info-4.8-14.fc6.x86_64.rpm
45a9100f1c1de7082d1ac170d74a50b460f234c8 x86_64/debug/texinfo-debuginfo-4.8-14.fc6.x86_64.rpm
161a7e402e1b3e8fa48d0a2d1614a201878b7e79 x86_64/texinfo-tex-4.8-14.fc6.x86_64.rpm
6f474823eb6309da1abe0d72bc4c207ba95a641d i386/info-4.8-14.fc6.i386.rpm
dabc49568736ff1762cf8ead87009434c892a7f7 i386/texinfo-4.8-14.fc6.i386.rpm
0555e95a3344612edb858270756ee7849f9c4872 i386/debug/texinfo-debuginfo-4.8-14.fc6.i386.rpm
96c2266e0fc2c6a82b8f6f43cc16b646db2ec848 i386/texinfo-tex-4.8-14.fc6.i386.rpm
This update can be installed with the 'yum' update program. Use 'yum update
package-name' at the command line. For more information, refer to 'Managing
Software with yum,' available at http://fedora.redhat.com/docs/yum/.
- ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRVR/GfBT2+ukQ5RFAQFauQf/U29z4i4o36cMhpmMgMoOFcumjAGo3KsE
1o7eo+TP1Yd/W91vyljCF7wNAS2Igeo8BiJR6MTosjdO2m8KC2ISJeV8optRUMBs
C9M8mCNPxlwm3fwG2lDGba3+lxQ6hQ2dZGmFVIFR01X9mSIyRxJwGyavj/av3Cpd
b7z9l6TaYAiKclEnCHWnf5D+nGxaDmXZAJRv0pxlCe8RuejmOzdf34TIAnoG4pcd
hDnHTEfrv30aaQI7WW8YJ84IQOwwZxcNhCmlJiD1trTI8IVyeW7QZZevbsveXlSj
IZKnMe0UzqG5vIy7JLmHf9QR3mt92B4JIrifC+PLtU1WVvPEpFSMOw==
=cPw4
-----END PGP SIGNATURE-----