Hello community, here is the log from the commit of package findutils checked in at Sun Jun 3 22:04:04 CEST 2007. -------- --- findutils/findutils.changes 2007-02-28 19:59:39.000000000 +0100 +++ /mounts/work_src_done/STABLE/findutils/findutils.changes 2007-06-03 21:48:38.155846000 +0200 @@ -1,0 +2,31 @@ +Sun Jun 3 19:48:01 CEST 2007 - schwab@suse.de + +- Update to findutils 4.2.31. + ** Security Fixes + #20014: Findutils-4.2.31 includes a patch for a potential security + problem in locate. When locate read an old-format database, it read + file names into a fixed-length buffer allocated on the heap without + checking for overflow. Although overflowing a heap buffer if often + somewhat safer than overflowing a buffer on the stack, this bug still + has potential security implications. + All previous releases of findutils are affected by this bug. It has + been assigned CVE number CVE-2007-2452. + ** Documentation Fixes + #19596: Corrected the documentation for "find -printf %b". + #19483: updatedb manpage has inconsistent highlighting for --help + option. + #19155: Fixed typo in the output of "locate --help". + ** Other Bug Fixes + #19658: When cross-compiling, "make clean" no longer deletes the + generated file doc/regexprops.texi, because there is no way to + regenerate it. + #19484: Decompressed data is wrong in locate if the first filename + indexed by updatedb starts with a space (instead of a slash). + ** Other Changes + Findutils has switched to a new way of building the code from gnulib. + There should be no functional difference; the change should not be + visible to those using the findutils binaries, except for changes to + the output of "find --version", which should now show the version of + Gnulib which was used. + +------------------------------------------------------------------- Old: ---- findutils-4.2.30.diff findutils-4.2.30.tar.gz New: ---- findutils-4.2.31.diff findutils-4.2.31.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ findutils.spec ++++++ --- /var/tmp/diff_new_pack.ec5188/_old 2007-06-03 22:03:46.000000000 +0200 +++ /var/tmp/diff_new_pack.ec5188/_new 2007-06-03 22:03:46.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package findutils (Version 4.2.30) +# spec file for package findutils (Version 4.2.31) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -18,7 +18,7 @@ Obsoletes: find Autoreqprov: on PreReq: %{install_info_prereq} -Version: 4.2.30 +Version: 4.2.31 Release: 1 Summary: GNU find--Finding Files Source: findutils-%{version}.tar.gz @@ -133,6 +133,34 @@ /var/adm/fillup-templates/* %changelog +* Sun Jun 03 2007 - schwab@suse.de +- Update to findutils 4.2.31. + ** Security Fixes + [#20014]: Findutils-4.2.31 includes a patch for a potential security + problem in locate. When locate read an old-format database, it read + file names into a fixed-length buffer allocated on the heap without + checking for overflow. Although overflowing a heap buffer if often + somewhat safer than overflowing a buffer on the stack, this bug still + has potential security implications. + All previous releases of findutils are affected by this bug. It has + been assigned CVE number CVE-2007-2452. + ** Documentation Fixes + [#19596]: Corrected the documentation for "find -printf %%b". + [#19483]: updatedb manpage has inconsistent highlighting for --help + option. + [#19155]: Fixed typo in the output of "locate --help". + ** Other Bug Fixes + [#19658]: When cross-compiling, "make clean" no longer deletes the + generated file doc/regexprops.texi, because there is no way to + regenerate it. + [#19484]: Decompressed data is wrong in locate if the first filename + indexed by updatedb starts with a space (instead of a slash). + ** Other Changes + Findutils has switched to a new way of building the code from gnulib. + There should be no functional difference; the change should not be + visible to those using the findutils binaries, except for changes to + the output of "find --version", which should now show the version of + Gnulib which was used. * Wed Feb 28 2007 - schwab@suse.de - Update to findutils 4.2.30. ** Bug Fixes ++++++ findutils-4.2.30.diff -> findutils-4.2.31.diff ++++++ ++++++ findutils-4.2.30.tar.gz -> findutils-4.2.31.tar.gz ++++++ ++++ 90115 lines of diff (skipped) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org