Security Advisory?

Lance Albertson

unread,

Oct 2, 2005, 1:34:39 PM10/2/05

to help-c...@gnu.org

I just got a report that debian has released [1] a security fix for
cfengine. Is this something thats old or something thats new? I couldn't
find much information about it anywhere. Feel free to comment on the
gentoo bug [2].

Thanks!

[1] http://www.debian.org/security/2005/dsa-836
[2] http://bugs.gentoo.org/show_bug.cgi?id=107871
--
Lance Albertson <rame...@gentoo.org>
Gentoo Infrastructure | Operations Manager

---
GPG Public Key: <http://www.ramereth.net/lance.asc>
Key fingerprint: 0423 92F3 544A 1282 5AB1 4D07 416F A15D 27F4 B742

ramereth/irc.freenode.net

signature.asc

Jeff Sheltren

unread,

Oct 2, 2005, 7:36:26 PM10/2/05

to Lance Albertson, help-c...@gnu.org

On Oct 2, 2005, at 1:34 PM, Lance Albertson wrote:

> I just got a report that debian has released [1] a security fix for
> cfengine. Is this something thats old or something thats new? I
> couldn't
> find much information about it anywhere. Feel free to comment on the
> gentoo bug [2].
>
> Thanks!
>
> [1] http://www.debian.org/security/2005/dsa-836
> [2] http://bugs.gentoo.org/show_bug.cgi?id=107871
> --
> Lance Albertson <rame...@gentoo.org>
> Gentoo Infrastructure | Operations Manager

I can't find any info on it either. The CAN entry only shows
'reserved' - not very helpful. I can't figure out a way to see the
patch without having access to a debian machine; anyone know how to
do that (or have a debian box so you can show the patch contents)?

This looks like the patch:
* Applied patch by Javier Fernández-Sanguino Peña to fix insecure
temporary file creation [debian/patches/010_CAN-2005-2960_tmpfile]

On another note, I just noticed that 2.1.16 is the current version on
cfengine.org - did I just miss the announcement, or was there one?

-Jeff

Brendan Strejcek

unread,

Oct 2, 2005, 8:45:49 PM10/2/05

to Jeff Sheltren, help-c...@gnu.org

See here for the patch:

http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1.diff.gz

That is linked to from http://www.debian.org/security/2005/dsa-836 .

It looks like a patch to a Debian-contributed shell script called vicf,
so I don't think general cfengine users need to worry.

For those not as familiar with Debian, here is how I figured that out:

$ URL=http://security.debian.org/pool/updates/main/c/cfengine2
$ wget -q $URL/cfengine2_2.1.14-1sarge1.diff.gz
$ wget -q $URL/cfengine2_2.1.14-1sarge1.dsc
$ wget -q $URL/cfengine2_2.1.14.orig.tar.gz
$ dpkg-source -x cfengine2_2.1.14-1sarge1.dsc
dpkg-source: extracting cfengine2 in cfengine2-2.1.14
$ cd cfengine2-2.1.14/debian/patches
$ ls
010_CAN-2005-2960_tmpfile
$

I included the whole patch below my sig.

Best,
Brendan

--
Senior System Administrator
The University of Chicago
Department of Computer Science
http://www.cs.uchicago.edu/people/brendan

diff -u -p -Nr --exclude CVS cfengine-2.1.14.orig/contrib/vicf.in cfengine-2.1.14/contrib/vicf.in
--- cfengine-2.1.14.orig/contrib/vicf.in 2005-02-08 12:48:56.000000000 +0100
+++ cfengine-2.1.14/contrib/vicf.in 2005-09-23 12:11:34.000000000 +0200
@@ -56,12 +56,13 @@ EdFile () {
while [ "$editfile" = "n" ]
do
${EDITOR} ${CFINPUTS}/.${file}.lock
- cp /dev/null /tmp/cfparse.$$
- $sbindir/cfengine --no-warn --parse-only --file ${CFINPUTS}/.${file}.lock > /tmp/cfparse.$$ 2>&1
- if [ -s /tmp/cfparse.$$ ]
+ tmpfile=`mktemp -t tempfile.XXXXXX` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+ trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+ $sbindir/cfengine --no-warn --parse-only --file ${CFINPUTS}/.${file}.lock > $tmpfile 2>&1
+ if [ -s $tmpfile ]
then
echo PARSE ERROR IN NEW INPUT-FILE:
- cat /tmp/cfparse.$$
+ cat $tmpfile
/usr/ucb/echo -n "Re-edit file? (Y/n) "
read answer
if [ "$answer" = "n" ]
@@ -75,7 +76,7 @@ EdFile () {
fi
done

- rm -f /tmp/cfparse.$$ ${CFINPUTS}/.${file}.lock
+ rm -f ${CFINPUTS}/.${file}.lock
}

force=n

Jeff Sheltren

unread,

Oct 2, 2005, 9:21:18 PM10/2/05

to Brendan Strejcek, help-c...@gnu.org

On Oct 2, 2005, at 8:45 PM, Brendan Strejcek wrote:

>
> It looks like a patch to a Debian-contributed shell script called
> vicf,
> so I don't think general cfengine users need to worry.
>
>

> Best,
> Brendan

Hi Brendan, thanks a lot - glad to know it's not something I need to
worry about :)

-Jeff

Mark Burgess

unread,

Oct 3, 2005, 2:38:38 AM10/3/05

to Jeff Sheltren, help-c...@gnu.org

The fix is for some third party shell scripts which I don't think anyone
uses and I am thinking of dumping. I did not announce 2.1.16 since it
contains nothing new. It is simply the patch release that has been in
svn for about 4 months. I am catching up.

M

> _______________________________________________
> Help-cfengine mailing list
> Help-c...@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine

Jeff Sheltren

unread,

Oct 3, 2005, 7:47:27 AM10/3/05

to Mark Burgess, help-c...@gnu.org

On Oct 3, 2005, at 2:38 AM, Mark Burgess wrote:

> The fix is for some third party shell scripts which I don't think
> anyone
> uses and I am thinking of dumping. I did not announce 2.1.16 since it
> contains nothing new. It is simply the patch release that has been in
> svn for about 4 months. I am catching up.
>
> M

Hi Mark, I'd really appreciate if every new release was announced (no
matter how trivial the update). Either here or on a separate
'announce' list.

Thanks,
Jeff

Chip Seraphine

unread,

Oct 3, 2005, 9:48:05 AM10/3/05

to Mark Burgess, help-c...@gnu.org

Downloading as we speak. Sometimes bugfix releases are the most eagerly
awaited :)

Mark Burgess wrote:

>The fix is for some third party shell scripts which I don't think anyone
>uses and I am thinking of dumping. I did not announce 2.1.16 since it
>contains nothing new. It is simply the patch release that has been in
>svn for about 4 months. I am catching up.
>
>M
>

Cedric Ware

unread,

Oct 6, 2005, 1:57:46 PM10/6/05

to Mark Burgess, help-c...@gnu.org

Hello,

> uses and I am thinking of dumping. I did not announce 2.1.16 since it
> contains nothing new. It is simply the patch release that has been in
> svn for about 4 months. I am catching up.

I may be mistaken, but I believe our patch for correct CFALLCLASSES
initialization when a module is called through PrepModule was not
included. The patch is in:
http://lists.gnu.org/archive/html/help-cfengine/2005-08/msg00181.html

In your Aug 30 reply to the aforementioned message, you mentioned it
would be included once it had been through quality control. Did it
fail somehow? Was there an action we should have taken, e.g. submit
the patch elsewhere than the mailing-list, maybe open an issue on
sourceforge?

Thank you,
Cedric Ware.

Jeff Sheltren

unread,

Oct 17, 2005, 9:18:04 AM10/17/05

to Cfengine Mailing List Help

On Oct 3, 2005, at 2:38 AM, Mark Burgess wrote:

> The fix is for some third party shell scripts which I don't think
> anyone

> uses and I am thinking of dumping. I did not announce 2.1.16 since it
> contains nothing new. It is simply the patch release that has been in
> svn for about 4 months. I am catching up.
>

> M

Hi Mark, will this be patched/removed in the next cfengine release?

Thanks,
Jeff

Mark Burgess

unread,

Oct 17, 2005, 1:31:19 PM10/17/05

to Jeff Sheltren, Cfengine Mailing List Help

They were removed long ago -- only debian seem to keep thme on.

M

Jeff Sheltren

unread,

Oct 17, 2005, 3:30:02 PM10/17/05

to Cfengine Mailing List Help

On Oct 17, 2005, at 1:31 PM, Mark Burgess wrote:

>
> They were removed long ago -- only debian seem to keep thme on.
>
> M
>
>

'vicf.in' is still in the contrib directory in both the 2.1.16
tarball and in SVN.

$ tar ztf cfengine-2.1.16.tar.gz | grep vicf
cfengine-2.1.16/contrib/vicf.in
cfengine-2.1.16/contrib/README.vicf

-Jeff