Hello community, here is the log from the commit of package bash for openSUSE:Factory checked in at 2014-03-19 13:57:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bash (Old) and /work/SRC/openSUSE:Factory/.bash.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bash" Changes: -------- --- /work/SRC/openSUSE:Factory/bash/bash.changes 2014-02-01 09:40:12.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.bash.new/bash.changes 2014-03-19 13:57:41.000000000 +0100 @@ -1,0 +2,7 @@ +Tue Mar 18 11:25:21 UTC 2014 - [email protected] + +- CVE-2014-2524: bash,readline: temporary file misuse in _rl_tropen (bnc#868822) + Even if used only by developers to debug readline library do not + open temporary files from public location without O_EXCL + +------------------------------------------------------------------- New: ---- readline-6.2-rltrace.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bash.spec ++++++ --- /var/tmp/diff_new_pack.YBFLla/_old 2014-03-19 13:57:43.000000000 +0100 +++ /var/tmp/diff_new_pack.YBFLla/_new 2014-03-19 13:57:43.000000000 +0100 @@ -91,6 +91,7 @@ Patch26: readline-6.2-msgdynamic.patch Patch27: readline-6.2-xmalloc.dif Patch30: readline-6.2-destdir.patch +Patch31: readline-6.2-rltrace.patch Patch40: bash-4.1-bash.bashrc.dif Patch42: audit-patch Patch43: audit-rl-patch @@ -309,6 +310,7 @@ %patch24 -p0 -b .metamode #%patch25 -p0 -b .endpw %patch26 -p0 -b .msgdy +%patch31 -p0 -b .tmp %patch40 -p0 -b .bashrc %if 0%suse_version >= 1100 %patch42 -p1 -b .audit @@ -334,6 +336,7 @@ %patch24 -p2 -b .metamode #%patch25 -p2 -b .endpw %patch26 -p2 -b .msgdy +%patch31 -p2 -b .tmp %patch27 -p0 -b .xm %patch30 -p0 -b .destdir %if 0%suse_version >= 1100 ++++++ readline-6.2-rltrace.patch ++++++ Even if used only by developers to debug readline library do not open temporary files from public location without O_EXCL (bcn#868822). --- util.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- lib/readline/util.c +++ lib/readline/util.c 2014-03-18 11:18:25.774735305 +0000 @@ -493,10 +493,12 @@ _rl_trace (va_alist) if (_rl_tracefp == 0) _rl_tropen (); + if (!_rl_tracefp) + goto out; vfprintf (_rl_tracefp, format, args); fprintf (_rl_tracefp, "\n"); fflush (_rl_tracefp); - +out: va_end (args); } @@ -509,7 +511,7 @@ _rl_tropen () fclose (_rl_tracefp); sprintf (fnbuf, "/var/tmp/rltrace.%ld", getpid()); unlink(fnbuf); - _rl_tracefp = fopen (fnbuf, "w+"); + _rl_tracefp = fopen (fnbuf, "w+xe"); return _rl_tracefp != 0; } @@ -517,8 +519,8 @@ int _rl_trclose () { int r; - - r = fclose (_rl_tracefp); + if (_rl_tracefp) + r = fclose (_rl_tracefp); _rl_tracefp = 0; return r; } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
