OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 10-Jun-2005 20:26:54
Branch: HEAD Handle: 2005061019265400
Modified files:
openpkg-web/security OpenPKG-SA-2005.008-bzip2.txt
Log:
cosmetics again
Summary:
Revision Changes Path
1.4 +15 -14 openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt
============================================================================
$ cvs diff -u -r1.3 -r1.4 OpenPKG-SA-2005.008-bzip2.txt
--- openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt 10 Jun 2005
13:28:42 -0000 1.3
+++ openpkg-web/security/OpenPKG-SA-2005.008-bzip2.txt 10 Jun 2005
18:26:54 -0000 1.4
@@ -3,7 +3,7 @@
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2005.008 10-June-2005
+OpenPKG-SA-2005.008 10-Jun-2005
________________________________________________________________________
Package: bzip2
@@ -28,24 +28,24 @@
perl-comp perl-mail php::with_bzip2
Description:
- According to a BugTraq posting [0], Imran Ghory discovered a time of
- check time of use (TOCTOU) file mode vulnerability in the bzip2 data
- compressor [1]. Because bzip2(1) does not safely restore the mode of
- a file undergoing compression or decompression, a malicious user can
- potentially change the mode of any file belonging to the user running
- bzip2(1). The Common Vulnerabilities and Exposures (CVE) project
- assigned the identifier CAN-2005-0953 [2] to this problem.
+ According to a BugTraq posting [0], Imran Ghory discovered a time
+ of check time of use (TOCTOU) file mode vulnerability in the BZip2
+ data compressor [1]. Because bzip2(1) does not safely restore the
+ mode of a file undergoing compression or decompression, a malicious
+ user can potentially change the mode of any file belonging to the
+ user running bzip2(1). The Common Vulnerabilities and Exposures (CVE)
+ project assigned the identifier CAN-2005-0953 [2] to this problem.
In a unrelated case, a denial of service vulnerability was found
in both the bzip2(1) program and its associated library libbz2(3).
- Specially crafted bzip2 archives lead to an infinite loop in the
+ Specially crafted BZip2 archives lead to an infinite loop in the
decompressor which results in an indefinitively large output file.
This could be exploited to cause disk space exhaustion. The Common
Vulnerabilities and Exposures (CVE) project assigned the identifier
CAN-2005-1260 [3] to this problem.
- Because the openpkg bootstrap package embeds bzip2, it may be affected
- as well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4].
+ Because the OpenPKG bootstrap package embeds BZip2, it is affected as
+ well. Please refer to OpenPKG-SA-2005.010-openpkg for details [4].
Please check whether you are affected by running "<prefix>/bin/openpkg
rpm -q bzip2". If you have the "bzip2" package installed and its
@@ -72,13 +72,14 @@
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/bzip2-1.0.2-2.3.1.*.rpm
We recommend that you rebuild and reinstall any dependent packages
- (see above) as well [5][6]. The openpkg build tool can be instrumental
- in consistently updating and securing the entire OpenPKG instance.
+ (see above) as well [5][6]. The "openpkg build" tool can be
+ instrumental in consistently updating and securing the entire OpenPKG
+ instance.
________________________________________________________________________
References:
[0] http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633
- [1] http://sources.redhat.com/bzip2/
+ [1] http://www.bzip.org/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260
[4] http://www.openpkg.org/security/OpenPKG-SA-2005.010-openpkg.html
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
