dagmar.wants at nospam.com
Sun Jun 1 16:35:56 PDT 2003
On Sun, 2003-06-01 at 17:14, Ken Moffat wrote:
> On Sun, 1 Jun 2003, Dagmar d'Surreal wrote:
> > On Sun, 2003-06-01 at 15:22, Dagmar d'Surreal wrote:
> > > On Wed, 2003-05-28 at 07:51, Jochen Schroeder wrote:
> > > > Suse has released a patch for glibc to fix a security hole in the XDR
> > > > code, see here for details:
> > > > http://www.suse.de/de/security/2003_027_glibc.html
> > >
> > > Umm... Took them long enough. Glibc-2.3.2 doesn't have this problem.
> > ..and more to the point, here's an annotated diff that people should
> > start applying to glibc. It was assembled directly from the components
> > listed in CERT Advisory CA-2003-10. Since glibc-2.3.2 is not vulnerable
> > to this, if you are currently building using the current CVS tree of
> > LFS, you don't need to worry about it. Everyone else using any version
> > of glibc previous to 2.3.2 (2.3.1, 2.2.5, etc) should apply this patch
> > to their glibc sources and rebuild to eliminate the vulnerability from
> > their system.
> Thanks for this, but the comments don't seem to be in line with your
> recommendation to label _where_ tha patch came from, or is it my eyes
> failing ?
To be perfectly accurate, the patch comes from the glibc team, since
it's merely a summary and collation of diffs pulled from the CVS as
mentioned in CA-2003-10 (http://www.cert.org/advisories/CA-2003-10.html)
which is why I didn't bother to explicitly tag it with an author credit.
To be really pedantic about it, the patch could also be considered to
have come from me since I collated it into a single patch, or Sun since
it was their broken library that was fixed, or possibly eEye for all I
can tell. I was unable to ascertain exactly who fixed it, of even if a
single person could be credited.
> Now I'll have to try to understand it, to see whether I trust it ;-)
Hrmm... I've put it into my build trees, but since I'm fully into
glibc-2.3.2 now I doubt I'll ever have to deal with building it into a
2.2.x tree (I'm going to have to put it in a spec file for a client
tho... *sigh*). Did I happen to mention it's definitely in glibc-2.3.2,
so I think it's pretty trustworthy.
The email address above is just as phony as it looks, and for obvious reasons.
Instant messaging contact nfo: AIM: evilDagmar Jabber: evilDagmar at jabber.org
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message
More information about the lfs-security