Fedora has issued an advisory on January 25: http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097837.html These issues are caused by the i18n patch, which we appear to have. Mageia 2 would also be affected.
Whiteboard: (none) => MGA2TOO
CC: (none) => tmb
URL: (none) => http://lwn.net/Vulnerabilities/535735/
It appears the master branch in Fedora git had the exact same i18n patch we do in Cauldron. The updated one for version 8.20 is here: http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch Fedora 17 has the same coreutils version we do, 8.15. Their i18n patch there was almost exactly the same as ours, but not quite exactly. Here's the updated one for 8.15: http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch?h=f17&id=7491020ff9f0c45480b5b365823a58c869df7552 I have committed them to SVN for Mageia 2 and Cauldron, but I'll wait for Thomas to give the go-ahead to push them to the build system.
Looks ok, Go ahead and push them...
Thanks Thomas! Fixed packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated coreutils packages fix security vulnerabilities: It was reported that the sort command suffered from a segfault when processing input streams that contained extremely long strings when used with the -d and -M switches (CVE-2013-0221). It was reported that the uniq command suffered from a segfault when processing input streams that contained extremely long strings (CVE-2013-0222). It was reported that the join command suffered from a segfault when processing input streams that contained extremely long strings when used with the -i switch (CVE-2013-0223). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0222 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0223 http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097837.html ======================== Updated packages in core/updates_testing: ======================== coreutils-8.15-1.2.mga2 coreutils-doc-8.15-1.2.mga2 from coreutils-8.15-1.2.mga2.src.rpm
Version: Cauldron => 2Assignee: tmb => qa-bugsWhiteboard: MGA2TOO => (none)
PoC's: CVE-2013-0221 https://bugzilla.novell.com/show_bug.cgi?id=798538 CVE-2013-0222 https://bugzilla.novell.com/show_bug.cgi?id=796243 CVE-2013-0223 https://bugzilla.novell.com/show_bug.cgi?id=798541
Whiteboard: (none) => has_procedure
Tested i586 in VM. CVE-2013-0221: unable to reproduce bug CVE-2013-0222 and CVE-2013-0223: bugs reproduced; bugs gone after update. Carolyn
CC: (none) => isolde
Could you add the relevant whiteboard keyword please Carolyn. https://wiki.mageia.org/en/QA_process_for_validating_updates Thankyou :)
Whiteboard: has_procedure => has_procedure mga2-32-OK
Now testing 64-bit. Carolyn
Testing complete on 64-bit. All bugs verified before update. All bugs gone after update. Update validated. See comment 3 for advisory and SRPM. Could sysadmin please push from core/updates_testing to core/updates. Thank you. Carolyn
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-32-OK => has_procedure mga2-32-OK mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0048
Status: NEW => RESOLVEDResolution: (none) => FIXED