Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 191643
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 191643 depends on: Show dependency tree
Bug 191643 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-09-08 01:50 0000 
According to Steve Grubb in Redhat #251774:
  It looks like coolkey creates /tmp/.pk11ipc1 as a world writable directory
  without the sticky bit. And...it creates the files under that potentially as
  world writable with the execute bit turned on or uses the file without any
  sanity check. coolkey runs as root sometimes and that makes it susceptible to
  doing symlink attacks.

The only version in the tree is unstable at the moment, however.

------- Comment #1 From Pierre-Yves Rofes 2007-09-08 07:58:20 0000 ------- 
seems that redhat issued a patch. crypto, please provide a fixed ebuild.

------- Comment #2 From Alon Bar-Lev (RETIRED) 2007-09-08 08:21:26 0000 ------- 
Added: coolkey-1.1.0-r1

------- Comment #3 From Pierre-Yves Rofes 2007-09-08 09:03:27 0000 ------- 
thanks. closing without glsa.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug