[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#550101: marked as done (opu: package mksh/28.0-2)

Your message dated Mon, 24 May 2010 13:43:35 +0100
with message-id <90c0df64afa581325e04146c4b314ff2.squirrel@adsl.funky-badger.org>
and subject line Closing bugs resolved by etch point release
has caused the Debian Bug report #550101,
regarding opu: package mksh/28.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
550101: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550101
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: opu

Fix CVE-2008-1845. History:

I prepared a package with the fix backported and sent it to
the security team. I was told that it is not severe enough
to warrant a DSA. I responded that I agree but it should still
be updated. Now I see on the QA page that I "should fix it".

This is why I dug out the old .dsc (debdiff attached) and now
would like to request that someone upload this (I'm only a DM,
not a DD).

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

diff -Nru /tmp/kByzvWMkp5/mksh-28.0/debian/changelog /tmp/ptjKC8eoqk/mksh-28.0/debian/changelog
- --- /tmp/kByzvWMkp5/mksh-28.0/debian/changelog	2009-10-07 18:08:16.000000000 +0200
+++ /tmp/ptjKC8eoqk/mksh-28.0/debian/changelog	2009-10-07 18:08:17.000000000 +0200
@@ -1,3 +1,10 @@
+mksh (28.0-3) unstable; urgency=high
+
+  * Fix CVE-2008-1845 (unauthenticated local privilege escalation)
+    using upstream-provided diff
+
+ -- Thorsten Glaser <tg@mirbsd.de>  Thu, 17 Apr 2008 21:55:05 +0000
+
 mksh (28.0-2) unstable; urgency=low
 
   * Fix unaligned memory access on IA-64 (same fix was applied
diff -Nru /tmp/kByzvWMkp5/mksh-28.0/misc.c /tmp/ptjKC8eoqk/mksh-28.0/misc.c
- --- /tmp/kByzvWMkp5/mksh-28.0/misc.c	2006-08-24 22:33:16.000000000 +0200
+++ /tmp/ptjKC8eoqk/mksh-28.0/misc.c	2009-10-07 18:08:17.000000000 +0200
@@ -1437,6 +1437,8 @@
 		return "setsid";
 	if (ioctl(fd, TIOCSCTTY, NULL) == -1)
 		return "ioctl";
+	if (tcflush(fd, TCIOFLUSH))
+		return "tcflush";
 	dup2(fd, 0);
 	dup2(fd, 1);
 	dup2(fd, 2);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MirBSD)

iQIVAwUBSsy9NXa1NLLpkAfgAQPcbA/9ENGDIXCGgWJK/jGPrms2E78U42TdYOf3
rXf4c4vQAF7b9vJ4RVKn0s99aqPQcoeFGrsYLfzh9f8lLICPw9mXtWI6L5Va4HrI
pLfrLGpEDdfDd1cBFr5yxJPgiqwZk3DjWtmasQIjEgqAXKAL0hARlBEvyl7r2jOS
wCv8gfTevqpu7re1WQybnB5Sl6x2WNrZeyKLVQmBliChl+7o4GSZz2YuM0CEOQJr
6kV8ExS8lGdu5RziNuzzpvmEExjbXaIyyPYS3shzKaVSjjxQgcLvijc7A113sQtz
btSQ63Dg3dzPW5cRsBbo50+sEwQt3LKPQFID4DonbnJPh/5wgieraY7d3xLv+mfs
fQWbpY/tiRn7C6cujJHk+Qwuo7c0V3W0DGqPZJaL6Ohp5nnD+sNiJCY4fvflZPYB
CGvU/ntmTRVIVCvVxGt1Kdv8oqUPgPzwpD3/2VNcVl82WDLsTahsxi/5vb9TX8vU
cEDoTUT8JbMBH3sVeYI6qz9po7XUwvtpdzNNdMa5b/J3o7Vrpa4dshWO3BT7Wzff
zqe2ep3kuE6ZANDbxo518Ru+QInecN9Kabl7UaBqb34paDJdB/MV9Oclx6PgSqKP
4EbpgoLAq0NKz5/0Cbj0xs1fXaYsoxOR/5GEOx2LyJmKhFvcm6OYd5Mm0z2/3fUc
iWuIulr4c5o=
=vXmH
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Version: 4.0r9

Hi,

Each of these bugs was resolved by the recent etch point release, either
by including the updated package or adding a note to the release
announcement regarding the relevant issue.

Regards,

Adam

--- End Message ---
Reply to: