OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 10-Jun-2005 20:29:57
Branch: HEAD Handle: 2005061019295700
Modified files:
openpkg-web/security OpenPKG-SA-2005.010-openpkg.txt
Log:
small cosmetics, including par(1) formatting
Summary:
Revision Changes Path
1.2 +19 -18 openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2005.010-openpkg.txt
--- openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt 10 Jun 2005
13:37:17 -0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2005.010-openpkg.txt 10 Jun 2005
18:29:57 -0000 1.2
@@ -3,7 +3,7 @@
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2005.010 10-June-2005
+OpenPKG-SA-2005.010 10-Jun-2005
________________________________________________________________________
Package: openpkg
@@ -20,38 +20,39 @@
Dependent Packages: none
Description:
- The vulnerabilities described by this text affect the openpkg
- bootstrap package's gzip and bzip2 embedded software. Similar
- advisories [0][1] describe the same vulnerabilities, although
- in context of the particular vendor software.
+ The vulnerabilities described by this text affect the OpenPKG
+ bootstrap package's GZip and BZip2 embedded software. Similar
+ advisories [0][1] describe the same vulnerabilities, although in
+ context of the particular vendor software.
- According to a Debian bug report [2], Ulf Harnhammar discovered
- an input validation error in the gzip data compressor [3]. Because
+ According to a Debian bug report [2], Ulf Harnhammar discovered an
+ input validation error in the GZip data compressor [3]. Because
gzip(1) fails to properly validate file paths during decompression
with the "-N" argument, a remote attacker using a malicious archive
could corrupt arbitrary files with the privileges of the user that
is running gzip(1). The Common Vulnerabilities and Exposures (CVE)
project assigned the identifier CAN-2005-1228 [4] to this problem.
- According to a BugTraq posting [5], Imran Ghory discovered a time of
- check time of use (TOCTOU) file mode vulnerability in the bzip2 data
- compressor [6]. Because bzip2(1) does not safely restore the mode of
- a file undergoing compression or decompression, a malicious user can
- potentially change the mode of any file belonging to the user running
- bzip2(1). The Common Vulnerabilities and Exposures (CVE) project
- assigned the identifier CAN-2005-0953 [7] to this problem.
+ According to a BugTraq posting [5], Imran Ghory discovered a time
+ of check time of use (TOCTOU) file mode vulnerability in the BZip2
+ data compressor [6]. Because bzip2(1) does not safely restore the
+ mode of a file undergoing compression or decompression, a malicious
+ user can potentially change the mode of any file belonging to the
+ user running bzip2(1). The Common Vulnerabilities and Exposures (CVE)
+ project assigned the identifier CAN-2005-0953 [7] to this problem.
- In a unrelated bzip2 problem, a denial of service vulnerability
+ In a unrelated BZip2 problem, a denial of service vulnerability
was found in both the bzip2(1) program and its associated library
- libbz2(3). Specially crafted bzip2 archives lead to an infinite loop
+ libbz2(3). Specially crafted BZip2 archives lead to an infinite loop
in the decompressor which results in an indefinitively large output
file. This could be exploited to cause disk space exhaustion. The
Common Vulnerabilities and Exposures (CVE) project assigned the
identifier CAN-2005-1260 [8] to this problem.
Please check whether you are affected by running "<prefix>/bin/openpkg
- rpm -q openpkg". If the openpkg package version is affected (see above),
- we recommend that you immediately upgrade it (see Solution) [9][10].
+ rpm -q openpkg". If the openpkg package version is affected (see
+ above), we recommend that you immediately upgrade it (see Solution)
+ [9][10].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
