Francesco P. Lovergine
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: Bug#301430: Multiple exploitable race conditions in openmosixview
severity 301430 serious tags 301430 + patch tags 301430 + upstream tags 301430 + security thanks On Thu, Mar 31, 2005 at 08:46:41PM -0500, Hubert Chan wrote:> I believe this bug is fixed by two patches that can be found at: > http://uw-dig.uwaterloo.ca/~hy3chan/patches/openmosixview/1.5/ > (patches 20-logdirectory.diff and 50-nonodestmp.diff). I think > that they should apply cleanly without the other patches -- probably > at worst with some fuzz. I''m trying to confirm with the people who > originally reported the vulnerability to check that the patches do > indeed fix the issues that they reported, but I''m pretty sure they do. > > The patches found there (except for 99debian.diff) have already been > accepted by upstream for inclusion in the next release of > openMosixView. > > 20-logdirectory.diff may break other software that depends on a > predictable location for the openMosixViewCollector logs (such as > openMosixWebView, not included in Debian, and I think that > openMosixWebView has been changed to check both locations). But I > don''t think there''s any other way around it -- besides, upstream is > already going to implement the change in the next release. > > For reference, my mail to Rexotec (the original reporters) and the > openMosixView mailing list can be found at: > http://sourceforge.net/mailarchive/message.php?msg_id=11330106 >Nice news. I''ll keep an eye to the proposed patches before committing. The symlink exploit should be obviously manageable. -- Francesco P. Lovergine
Hubert Chan
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: Bug#301430: Multiple exploitable race conditions in openmosixview
On 2005-04-01 02:39:57 -0500 Francesco P. Lovergine <frankie@debian.org> wrote:> > Nice news. I''ll keep an eye to the proposed patches before committing. > The symlink exploit should be obviously manageable. >Upstream says that he also thinks my patches fix the bug. http://sourceforge.net/mailarchive/message.php?msg_id=11350217 Rexotec (the guys who originally reported the bug) has''t responded. I think those patches are ready to be applied. -- Hubert Chan <hubert@uhoreg.ca> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.