Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 152758 - x11-wm/fvwm: temporary file vulnerabilities in FvwmCommand
Summary: x11-wm/fvwm: temporary file vulnerabilities in FvwmCommand
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on: 153127
Blocks:
  Show dependency tree
 
Reported: 2006-10-25 02:02 UTC by Tavis Ormandy (RETIRED)
Modified: 2006-11-09 14:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2006-10-25 02:02:30 UTC
According to the ChangeLog:

 Changes in beta release 2.5.17 (19-Jul-2006)
 * Bug Fixes:
    - Fixed tempfile vulnerabilities in FvwmCommand.

2.5.18 is in the tree, and should be ready for stabilisation.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2006-10-25 02:04:25 UTC
target keywords

KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86"

arches, please test and mark stable.
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2006-10-25 03:44:48 UTC
In x86:

Works and compiles fine.

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
=================================================================
System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) Processor
Gentoo Base System version 1.12.5
Last Sync: Wed, 25 Oct 2006 07:50:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-tbird -mtune=athlon-tbird  -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird  -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ "
LINGUAS=""
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.belnet.be/packages/gentoo-portage"
USE="x86 X bitmap-fonts bzip2 cairo cdr cli cracklib crypt dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode fam firefox fortran gif gpm gstreamer gtk hal input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_vesa vorbis win32codecs xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 3 Gustavo Zacarias (RETIRED) gentoo-dev 2006-10-25 07:38:24 UTC
sparc stable.
Comment 4 Dimitry Bradt (RETIRED) gentoo-dev 2006-10-25 09:53:36 UTC
x86:

1) emerges fine
2) passes collision test
3) works

Portage 2.1.2_pre3-r8 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.4-r4,
2.6.18-gentoo-r1 i686)
=================================================================
System uname: 2.6.18-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz
Gentoo Base System version 1.12.5
Last Sync: Tue, 24 Oct 2006 22:20:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O3 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.4/env /usr/kde/3.4/share/config
/usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb
/usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=pentium4 -O3 -pipe -fomit-frame-pointer"
DISTDIR="/mnt/nfs/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox
sfperms strict"
GENTOO_MIRRORS="http://search.belnet.be/packages/gentoo/"
LC_ALL="nl_BE.UTF-8"
LINGUAS="en_GB nl"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/mnt/series/tmp/"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/repodoc-overlay"
SYNC="rsync://rsync5.nl.gentoo.org/gentoo-portage"
USE="x86 16bit S3TC X X509 aac aalib acl acpi activefilter alsa ansi apm arts
artworkextra audiofile avantgo bash-completion bcmath bdf bidi bitmap-fonts
blender-game bluetooth bzip2 bzlib cap cdda cddb cdinstall cdparanoia cdrom cgi
chroot cjk clanJavaScript clanVoice cli client code cracklib crypt csope cups
curl dba dlloader dri dts dv dvb dvd dvdread eds elibc_glibc emboss encode esd
fat firefox foomaticdb fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2
hal imap imlib input_devices_keyboard input_devices_mouse ipv6 isdnlog ithreads
java jpeg jython kadu-modules kadu-voice kakasi kde kdeenablefinal kernel_linux
latex lcms leim libclamav libdsk libg++ libgd libgda libsamplerate libwww
linguas_en_GB linguas_nl lirc lirc_devices_pctv lirc_devices_pinsys live lua
lufsusermount lzo lzw lzw-tiff m17n-lib mad maildir matroska matrox mcal
memlimit migemo mikmod mime mine mixer mjpeg mls mmap mmx mng monkey motif
mozcalendar mozdevelop mozilla mozp3p mozsvg mozxmlterm mp3 mpeg mpeg4 mpi
mplayer msn mule music mythtv nagios-dns nagios-ntp nagios-ping nagios-ssh
native ncurses net netcdf network neural nis nls nowin nptl nptlonly nsplugin
ntfs ntlm nvidia nviz oav objc ocaml offensive ofx ogg openal opengl opie oscar
ospfapi oss pam parse-clocks pcap pcntl pcre pdf perl pg-hier pg-intdatetime
pg-vacuumdelay pic plotutils png portaudio posix povray ppds pppd pri print
procmail pthreads python qt3 qt4 quicktime quotas quotes readline real
reflection reiser4 reiserfs resperl rhino rplay samba scanner screen sdl
servlet-2.3 servlet-2.4 session sftplogging silc simplexml skins skk slp smime
sndfile snortsam sockets socks5 softquota sox spell spl sse sse2 ssl
stencil-buffer stream stroke struts svg sysvipc szip t1lib tcpd tcsim tga
theora threads tidy tiff transcode truetype truetype-fonts type1-fonts udev uim
underscores unicode usb userland_GNU v4l v4l2 vcd vda vhosts video_cards_nv
video_cards_nvidia video_cards_vesa videos virus-scan vorbis wddx win32codecs
winbind wmf wxwindows xanim xatrix xchatdccserver xchattext xemacs xface
xgetdefault xine xinerama xml xml2 xmlrpc xorg xosd xpm xprint xrandr
xscreensaver xsl xv xvid xvmc yahoo yaz yp yv12 zaptel zeo zlib zvbi"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS
Comment 5 Markus Meier gentoo-dev 2006-10-25 12:08:26 UTC
1. emerges on x86
2. passes collision test

x11-wm/fvwm-2.5.18  USE="gtk nls perl png readline truetype xinerama -bidi -debug -imlib -rplay -stroke -tk"

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.13 i686)
=================================================================
System uname: 2.6.17.13 i686 AMD Athlon(TM) XP1800+
Gentoo Base System version 1.12.5
Last Sync: Wed, 25 Oct 2006 16:50:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2006-10-26 01:47:23 UTC
[ebuild  N    ] x11-wm/fvwm-2.5.18  USE="bidi gtk nls perl png readline truetype -debug -imlib -rplay -stroke -tk -xinerama"

1) emerges fine so far
2) passes collision test
3) works

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
=================================================================
System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.5
Last Sync: Thu, 26 Oct 2006 05:20:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 aiglx alsa artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kde kernel_linux ldap leim libg++ linguas_de lm_sensors mad maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS



Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2006-10-28 03:05:09 UTC
For USE="perl tk" dev-perl/X11-Protocol-0.56 is pulled in, which isn't stable on all arches.  See dependency.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2006-10-28 06:17:07 UTC
x86 happy now
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2006-10-28 08:40:16 UTC
ppc stable
Comment 10 Thomas Cort (RETIRED) gentoo-dev 2006-10-29 07:58:05 UTC
stable on alpha and amd64.
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2006-10-29 11:36:32 UTC
ia64 done.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-29 15:05:36 UTC
Hi,
the changelog is not really verbose on that vulnerability... some has any news ?

I think it's probably stg like an insecure tempfile creation, but who knows ?
Comment 13 Viktor Griph 2006-10-31 08:17:12 UTC
(In reply to comment #12)
> Hi,
> the changelog is not really verbose on that vulnerability... some has any news
> ?
> 
> I think it's probably stg like an insecure tempfile creation, but who knows ?
> 

See http://www.mail-archive.com/fvwm-workers@lists.math.uh.edu/msg15233.html
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-03 05:53:52 UTC
Thanks Viktor.

ppc64 have you got a problem here ?
Comment 15 Brent Baude (RETIRED) gentoo-dev 2006-11-04 19:39:41 UTC
marked ppc64 stable
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-06 01:39:58 UTC
TIme to vote (insecure creation of temporary files), i vote noglsa
Comment 17 Wolf Giesen (RETIRED) gentoo-dev 2006-11-06 02:55:25 UTC
Another no.
Comment 18 Tavis Ormandy (RETIRED) gentoo-dev 2006-11-06 03:19:30 UTC
no++
Comment 19 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-09 14:51:07 UTC
closing since we have 3 "no" votes already