Bug 3455

Summary: tcp_wrapper unmaintained and contains vulnerabilities
Product: Mageia Reporter: Kamil Rytarowski <n54>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact:
Severity: critical    
Priority: Normal CC: doktor5000, mageia
Version: 1   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://pkgs.fedoraproject.org/gitweb/?p=tcp_wrappers.git;a=blob_plain;f=tcp_wrappers-7.6-xgets.patch;hb=HEAD
Whiteboard:
Source RPM: tcp_wrappers-7.6-42.mga1.src.rpm CVE:
Status comment:

Description Kamil Rytarowski 2011-11-26 00:41:48 CET 
tcp_wrapper in Mga is unmaintained, Fedora ships a newer patch against a possible DOS in xgets

In the URL you can read the changelog of their package
Comment 1 Manuel Hiebel 2011-11-26 00:55:16 CET 
no security issue for mga 1 ?
Comment 2 Kamil Rytarowski 2011-11-26 00:58:03 CET 
For Mageia 1 too!

Summary: tcp_wrapper unmaintained and contains vulnerabilities (Mga2 Alpha1) => tcp_wrapper unmaintained and contains vulnerabilities

Kamil Rytarowski 2011-11-26 00:58:20 CET

Version: Cauldron => 1

Comment 3 Manuel Hiebel 2011-11-26 01:02:02 CET 
Ok, thanks :)

As there is no maintainer for this package I added the committers in CC.

CC: (none) => mageia

Comment 4 Florian Hubold 2011-12-01 10:33:54 CET 
Changing the URL to point to the fedora patch which fixes this security issue.

URL: http://pkgs.org/fedora-rawhide/fedora-i386/tcp_wrappers-7.6-68.fc17.i686.rpm.html => http://pkgs.fedoraproject.org/gitweb/?p=tcp_wrappers.git;a=blob_plain;f=tcp_wrappers-7.6-xgets.patch;hb=HEAD
CC: (none) => doktor5000

Comment 5 Florian Hubold 2011-12-01 19:20:40 CET 
Seems this is already fixed in our tcp_wrappers,
this is the relevant code without the "newer" fedora patch:

    char   *start = ptr;

    while (len>1 && fgets(ptr, len, fp)) {
	got = strlen(ptr);
	if (got >= 1 && ptr[got - 1] == '\n') {
	    tcpd_context.line++;

Status: NEW => RESOLVED
Resolution: (none) => INVALID