On Sat, Mar 09, 2013 at 06:57:33AM -0800, Linda Walsh wrote:
Lars M������������������������ wrote:
On Fri, Mar 08, 2013 at 06:20:02PM -0800, Linda Walsh wrote:
Sorry, ...
Probably should be fixed before 12.3 ships...
Fortunately, the fix is easy -- just remove the offending patch:
bash-3.2-longjmp.dif
a) Please consider to add the patch to bnc#806628
b) In general if you believe a defect has security implicationsissue please select 'Component: Security' to enable access limitation in bugzilla.
Cheers,
Lars
Setting component:security doesn't enable access limitations. On the bug you set component:security on, I was able to access it without logging in.
If you _create_ it under that Component it will get stricter permissions.
On the new bug I created I had set the 'open-only-to-suse-security' flag, and it that flag only allowed access to the bug after I had logged in (presumably because I was the reporter).
As for 'a', above, are you asking me to copy the source of the patch that is from the suse rpm, that is in the file 'bash-3.2-longjmp.dif' into the bug report?
It is already part of the suse bash rpm. By patching the rpm, suse has introduced a security hole that is specific to suse's version.
I'm sorry, I guess I was trying to be a bit too circumspect in reporting the details and was too close to them, myself, to not be aware that others would know what I was talking about.
The rbash angle was not clear yet, but I am not sure it is real either. Either way, the bash maintainer and we will take a look when we get to work on Monday. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org