I just got a report that debian has released [1] a security fix for
cfengine. Is this something thats old or something thats new? I couldn't
find much information about it anywhere. Feel free to comment on the
gentoo bug [2].

Thanks!

[1] http://www.debian.org/security/2005/dsa-836
[2] http://bugs.gentoo.org/show_bug.cgi?id=107871
--
Lance Albertson <ramer...@gentoo.org>
Gentoo Infrastructure | Operations Manager

---
GPG Public Key:  <http://www.ramereth.net/lance.asc>
Key fingerprint: 0423 92F3 544A 1282 5AB1  4D07 416F A15D 27F4 B742

ramereth/irc.freenode.net

signature.asc < 1K Download

On Oct 2, 2005, at 1:34 PM, Lance Albertson wrote:

I can't find any info on it either.  The CAN entry only shows  
'reserved' - not very helpful.  I can't figure out a way to see the  
patch without having access to a debian machine; anyone know how to  
do that (or have a debian box so you can show the patch contents)?

This looks like the patch:
* Applied patch by Javier Fernández-Sanguino Peña to fix insecure
      temporary file creation [debian/patches/010_CAN-2005-2960_tmpfile]

On another note, I just noticed that 2.1.16 is the current version on  
cfengine.org - did I just miss the announcement, or was there one?

-Jeff

See here for the patch:

http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2....

That is linked to from http://www.debian.org/security/2005/dsa-836 .

It looks like a patch to a Debian-contributed shell script called vicf,
so I don't think general cfengine users need to worry.

For those not as familiar with Debian, here is how I figured that out:

    $ URL=http://security.debian.org/pool/updates/main/c/cfengine2
    $ wget -q $URL/cfengine2_2.1.14-1sarge1.diff.gz
    $ wget -q $URL/cfengine2_2.1.14-1sarge1.dsc
    $ wget -q $URL/cfengine2_2.1.14.orig.tar.gz
    $ dpkg-source -x cfengine2_2.1.14-1sarge1.dsc
    dpkg-source: extracting cfengine2 in cfengine2-2.1.14
    $ cd cfengine2-2.1.14/debian/patches
    $ ls
    010_CAN-2005-2960_tmpfile
    $

I included the whole patch below my sig.

Best,
Brendan

--
Senior System Administrator
The University of Chicago
Department of Computer Science
http://www.cs.uchicago.edu/people/brendan

diff -u -p -Nr --exclude CVS cfengine-2.1.14.orig/contrib/vicf.in cfengine-2.1.14/contrib/vicf.in
--- cfengine-2.1.14.orig/contrib/vicf.in        2005-02-08 12:48:56.000000000 +0100
+++ cfengine-2.1.14/contrib/vicf.in     2005-09-23 12:11:34.000000000 +0200
@@ -56,12 +56,13 @@ EdFile () {
     while [ "$editfile" = "n" ]
     do
        ${EDITOR} ${CFINPUTS}/.${file}.lock
-       cp /dev/null /tmp/cfparse.$$
-       $sbindir/cfengine --no-warn --parse-only --file ${CFINPUTS}/.${file}.lock > /tmp/cfparse.$$ 2>&1
-       if [ -s /tmp/cfparse.$$ ]
+        tmpfile=`mktemp -t tempfile.XXXXXX` || { echo "$0: Cannot create temporary file" >&2; exit 1;  }
+        trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+        $sbindir/cfengine --no-warn --parse-only --file ${CFINPUTS}/.${file}.lock > $tmpfile 2>&1
+        if [ -s $tmpfile ]
        then
                echo PARSE ERROR IN NEW INPUT-FILE:
-               cat /tmp/cfparse.$$
+               cat $tmpfile
                /usr/ucb/echo -n "Re-edit file? (Y/n) "
                read answer
                if [ "$answer" = "n" ]
@@ -75,7 +76,7 @@ EdFile () {
        fi
     done

-    rm -f /tmp/cfparse.$$ ${CFINPUTS}/.${file}.lock
+    rm -f ${CFINPUTS}/.${file}.lock
 }

 force=n

On Oct 2, 2005, at 8:45 PM, Brendan Strejcek wrote:

Hi Brendan, thanks a lot - glad to know it's not something I need to  
worry about :)

-Jeff

The fix is for some third party shell scripts which I don't think anyone
uses and I am thinking of dumping. I did not announce 2.1.16 since it
contains nothing new. It is simply the patch release that has been in
svn for about 4 months. I am catching up.

M

On Oct 3, 2005, at 2:38 AM, Mark Burgess wrote:

Hi Mark, I'd really appreciate if every new release was announced (no  
matter how trivial the update).  Either here or on a separate  
'announce' list.

Thanks,
Jeff

Downloading as we speak.  Sometimes bugfix releases are the most eagerly
awaited :)

        Hello,

I may be mistaken, but I believe our patch for correct CFALLCLASSES
initialization when a module is called through PrepModule was not
included.  The patch is in:
http://lists.gnu.org/archive/html/help-cfengine/2005-08/msg00181.html

In your Aug 30 reply to the aforementioned message, you mentioned it
would be included once it had been through quality control.  Did it
fail somehow?  Was there an action we should have taken, e.g. submit
the patch elsewhere than the mailing-list, maybe open an issue on
sourceforge?

                                        Thank you,
                                        Cedric Ware.

On Oct 3, 2005, at 2:38 AM, Mark Burgess wrote:

Hi Mark, will this be patched/removed in the next cfengine release?

Thanks,
Jeff

They were removed long ago -- only debian seem to keep thme on.

M

On Oct 17, 2005, at 1:31 PM, Mark Burgess wrote:

'vicf.in' is still in the contrib directory in both the 2.1.16  
tarball and in SVN.

$ tar ztf cfengine-2.1.16.tar.gz | grep vicf
cfengine-2.1.16/contrib/vicf.in
cfengine-2.1.16/contrib/README.vicf

-Jeff