Thanks!
[1] http://www.debian.org/security/2005/dsa-836
[2] http://bugs.gentoo.org/show_bug.cgi?id=107871
--
Lance Albertson <rame...@gentoo.org>
Gentoo Infrastructure | Operations Manager
---
GPG Public Key: <http://www.ramereth.net/lance.asc>
Key fingerprint: 0423 92F3 544A 1282 5AB1 4D07 416F A15D 27F4 B742
ramereth/irc.freenode.net
> I just got a report that debian has released [1] a security fix for
> cfengine. Is this something thats old or something thats new? I
> couldn't
> find much information about it anywhere. Feel free to comment on the
> gentoo bug [2].
>
> Thanks!
>
> [1] http://www.debian.org/security/2005/dsa-836
> [2] http://bugs.gentoo.org/show_bug.cgi?id=107871
> --
> Lance Albertson <rame...@gentoo.org>
> Gentoo Infrastructure | Operations Manager
I can't find any info on it either. The CAN entry only shows
'reserved' - not very helpful. I can't figure out a way to see the
patch without having access to a debian machine; anyone know how to
do that (or have a debian box so you can show the patch contents)?
This looks like the patch:
* Applied patch by Javier Fernández-Sanguino Peña to fix insecure
temporary file creation [debian/patches/010_CAN-2005-2960_tmpfile]
On another note, I just noticed that 2.1.16 is the current version on
cfengine.org - did I just miss the announcement, or was there one?
-Jeff
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1.diff.gz
That is linked to from http://www.debian.org/security/2005/dsa-836 .
It looks like a patch to a Debian-contributed shell script called vicf,
so I don't think general cfengine users need to worry.
For those not as familiar with Debian, here is how I figured that out:
$ URL=http://security.debian.org/pool/updates/main/c/cfengine2
$ wget -q $URL/cfengine2_2.1.14-1sarge1.diff.gz
$ wget -q $URL/cfengine2_2.1.14-1sarge1.dsc
$ wget -q $URL/cfengine2_2.1.14.orig.tar.gz
$ dpkg-source -x cfengine2_2.1.14-1sarge1.dsc
dpkg-source: extracting cfengine2 in cfengine2-2.1.14
$ cd cfengine2-2.1.14/debian/patches
$ ls
010_CAN-2005-2960_tmpfile
$
I included the whole patch below my sig.
Best,
Brendan
--
Senior System Administrator
The University of Chicago
Department of Computer Science
http://www.cs.uchicago.edu/people/brendan
diff -u -p -Nr --exclude CVS cfengine-2.1.14.orig/contrib/vicf.in cfengine-2.1.14/contrib/vicf.in
--- cfengine-2.1.14.orig/contrib/vicf.in 2005-02-08 12:48:56.000000000 +0100
+++ cfengine-2.1.14/contrib/vicf.in 2005-09-23 12:11:34.000000000 +0200
@@ -56,12 +56,13 @@ EdFile () {
while [ "$editfile" = "n" ]
do
${EDITOR} ${CFINPUTS}/.${file}.lock
- cp /dev/null /tmp/cfparse.$$
- $sbindir/cfengine --no-warn --parse-only --file ${CFINPUTS}/.${file}.lock > /tmp/cfparse.$$ 2>&1
- if [ -s /tmp/cfparse.$$ ]
+ tmpfile=`mktemp -t tempfile.XXXXXX` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+ trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+ $sbindir/cfengine --no-warn --parse-only --file ${CFINPUTS}/.${file}.lock > $tmpfile 2>&1
+ if [ -s $tmpfile ]
then
echo PARSE ERROR IN NEW INPUT-FILE:
- cat /tmp/cfparse.$$
+ cat $tmpfile
/usr/ucb/echo -n "Re-edit file? (Y/n) "
read answer
if [ "$answer" = "n" ]
@@ -75,7 +76,7 @@ EdFile () {
fi
done
- rm -f /tmp/cfparse.$$ ${CFINPUTS}/.${file}.lock
+ rm -f ${CFINPUTS}/.${file}.lock
}
force=n
>
> It looks like a patch to a Debian-contributed shell script called
> vicf,
> so I don't think general cfengine users need to worry.
>
>
> Best,
> Brendan
Hi Brendan, thanks a lot - glad to know it's not something I need to
worry about :)
-Jeff
M
> _______________________________________________
> Help-cfengine mailing list
> Help-c...@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine
> The fix is for some third party shell scripts which I don't think
> anyone
> uses and I am thinking of dumping. I did not announce 2.1.16 since it
> contains nothing new. It is simply the patch release that has been in
> svn for about 4 months. I am catching up.
>
> M
Hi Mark, I'd really appreciate if every new release was announced (no
matter how trivial the update). Either here or on a separate
'announce' list.
Thanks,
Jeff
Mark Burgess wrote:
>The fix is for some third party shell scripts which I don't think anyone
>uses and I am thinking of dumping. I did not announce 2.1.16 since it
>contains nothing new. It is simply the patch release that has been in
>svn for about 4 months. I am catching up.
>
>M
>
> uses and I am thinking of dumping. I did not announce 2.1.16 since it
> contains nothing new. It is simply the patch release that has been in
> svn for about 4 months. I am catching up.
I may be mistaken, but I believe our patch for correct CFALLCLASSES
initialization when a module is called through PrepModule was not
included. The patch is in:
http://lists.gnu.org/archive/html/help-cfengine/2005-08/msg00181.html
In your Aug 30 reply to the aforementioned message, you mentioned it
would be included once it had been through quality control. Did it
fail somehow? Was there an action we should have taken, e.g. submit
the patch elsewhere than the mailing-list, maybe open an issue on
sourceforge?
Thank you,
Cedric Ware.
> The fix is for some third party shell scripts which I don't think
> anyone
> uses and I am thinking of dumping. I did not announce 2.1.16 since it
> contains nothing new. It is simply the patch release that has been in
> svn for about 4 months. I am catching up.
>
> M
Hi Mark, will this be patched/removed in the next cfengine release?
Thanks,
Jeff
M
>
> They were removed long ago -- only debian seem to keep thme on.
>
> M
>
>
'vicf.in' is still in the contrib directory in both the 2.1.16
tarball and in SVN.
$ tar ztf cfengine-2.1.16.tar.gz | grep vicf
cfengine-2.1.16/contrib/vicf.in
cfengine-2.1.16/contrib/README.vicf
-Jeff