Re: 1.0 issues: Packaging (esp. source)

[Marc Ewing]

> [EMAIL PROTECTED] reads debian-devel . He's made noises about working
> together before.

Yup, I'm here (but I don't necessarily read debian-devel very closely).
We are about to embark (well, sometime in the next few months) on the
design for RPM 2.0.  Would it make sense for us to set up a mailing
list for package issues?  (we've been thinking about setting up an
[EMAIL PROTECTED]).

-Marc

Re: 1.0 issues: Packaging (esp. source)

[Marc Ewing]

> We have a list at Pixar that could serve the purpose - debian-dpkg
> isn't used for anything much at the moment.
...
> I think it would be good for the Red Hat people to have their own list
> - that way we can choose to crosspost or not to crosspost.  I expect
> that most of our messages would be crossposted.
> 
> (I've seen the effects of trying to get two initially-separate groups
> to agree to compromise by having them all use one mailing list, on the
> FSSTND group.  Having nowhere to say `is this really a good idea' and
> get reassurance and sound arguments from people one knows without
> feeling impeded by the presence of the `other side' doesn't seem to
> help.  Or, well, it didn't seem to help for me personally.)

Agreed on all counts.

We have mailing list: [EMAIL PROTECTED] which would be appropriate.
To subscribe, mail [EMAIL PROTECTED] with "subscribe" in
the subject line.  Feel free to cc the list and/or subscribe, and
I'll do the same with debian-dpkg.

-Marc

Re: /etc/rc.d and RedHat compatibility

[Marc Ewing]

[EMAIL PROTECTED] (Bruce Perens) writes:
> Right now, you can't expect it to be trouble-free, because there is no
> package conflict mechanism on redhat

True, we don't yet have a mechanism whereby you can indicate that
package X conflicts with package Y, but if package X would overwrite
any files in package Y, you'd get an error (warning, really) installing
X, and you'd have to force it.  We're working on conflicts and
dependencies in rpm version 2.

Of course, none of this works if the two packages come from different
package systems.

> Make a backup first.

Absolutely.

-Marc

Bug#4155: recent mount/umount vulnerability

[Marc Ewing]

"Alexander O. Yuriev" <[EMAIL PROTECTED]> writes:
>   I trust you are all aware of the information released to
> bugtraq/linux-security and linux-alert mailing lists about the vulnerability
> of mount/umount utilities in Linux. 
>   I'd really appreciate if you provide some official information on
> your distribution specific fixes for the upcoming Linux Security FAQ
> Update... 

Here's the note we sent out yesterday:

Recently a security hole was found in the mount program that comes with
many Linux distributions, including Red Hat Linux.

mount and umount are normally installed setUID root to allow users to
perform mount and unmount operations. Unfortunately, they do not check the
length of the information passed to them, creating a buffer overflow
problem. For more details, visit the BugTraq mailing-list archives at
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html

This hole allows anyone with an account on a system to obtain root access. 

Affected systems:
- All systems running all versions of Red Hat Linux.

Users of versions of Red Hat less than 3.0.3 are advised to upgrade to
3.0.3, since many other problems are fixed in the upgrade.

If you are running:
* Red Hat Linux 3.0.3 (Picasso) on the Intel architecture, get
- ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/i386/updates/RPMS/
util-linux-2.5-11fix.i386.rpm
mount-2.5k-1.i386.rpm
And install them in that order using 'rpm -Uvh [rpm filename]'

* Red Hat Linux 3.0.3 (Picasso) on the Intel architecture, get
- ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/axp/updates/RPMS/
util-linux-2.5-11fix.axp.rpm
mount-2.5k-1.axp.rpm
And install them in that order using 'rpm -Uvh [rpm filename]'

* Red Hat Linux 3.0.4 (Rembrandt) beta on the Intel, get
- ftp://ftp.redhat.com/pub/redhat/rembrandt/i386/updates/RPMS/
mount-2.5k-2.i386.rpm

* Red Hat Linux 3.0.4 (Rembrandt) beta on the Sparc, get
- ftp://ftp.redhat.com/pub/redhat/rembrandt/sparc/updates/RPMS/
mount-2.5k-2.sparc.rpm

[Aside: There is no difference between mount-2.5k-1 and -2 except
the package format.]

All RPMs are PGP-signed with the [EMAIL PROTECTED] key.
The source RPMs will be available in the normal locations.

MD5SUM's:
ad9b0628b6af9957d7b5eb720bbe632b  mount-2.5k-1.axp.rpm
12cb19ec4b3060f8d1cedff77bda7c05  util-linux-2.5-11fix.axp.rpm

26506a3c0066b8954d80deff152e0229  mount-2.5k-1.i386.rpm
f48c6bf901dd5d2c476657d6b75b12a5  util-linux-2.5-11fix.i386.rpm

7337f8796318f3b13f2dccb4a8f10b1a  mount-2.5k-2.i386.rpm
e68ff642a7536f3be4da83eedc14dd76  mount-2.5k-2.sparc.rpm

Thanks to Bloodmask, Vio, and others on the BugTraq list for discovering
this hole and providing patches.