First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 201022
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Pierre-Yves Rofes <py@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 201022 depends on: Show dependency tree
Show dependency graph
Bug 201022 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-12-02 21:02 0000 
zsh provides a difflog.pl script in /usr/share/zsh/4.3.4/Util/difflog.pl which
uses insecurely created files in /tmp, same kind of issue than bug #198231.
Thanks to Elias Pipping for noticing.

------- Comment #1 From Pierre-Yves Rofes 2007-12-02 21:09:01 0000 ------- 
Mamoru, do you know if upstream is aware of this? We could modify the feynmf
patch, but having an official corrected release from upstream would probably be
better. Any opinion?

------- Comment #2 From Pierre-Yves Rofes 2007-12-02 21:47:39 0000 ------- 
(In reply to comment #1)
> Mamoru, do you know if upstream is aware of this? We could modify the feynmf
> patch, but having an official corrected release from upstream would probably be
> better. Any opinion?
> 

actually cc'ing maintainer :)

------- Comment #3 From Torsten Veller 2007-12-03 18:09:55 0000 ------- 
usata announced his retirement recently.

zsh devs are aware of the issue:
http://www.zsh.org/mla/workers/2007/msg01060.html and follow ups (especially
<http://www.zsh.org/mla/workers/2007/msg01065.html>)

------- Comment #4 From Robert Buchholz 2007-12-03 23:57:20 0000 ------- 
Since the decision is going to be not to distribute that file, it should be
removed from the ebuild.

Anyone in cc on this bug willing to maintain this baby? If not, we should ask
the dev community.

------- Comment #5 From Torsten Veller 2007-12-04 16:19:37 0000 ------- 
I've just added two new ebuilds without difflog.pl (4.3.2-r3 and 4.3.4-r1).
(BTW upstream has fixed the issue in their repo.)

=app-shells/zsh-4.3.2-r3 should be stabilized again. Removing difflog.pl is the
only substantial change.

------- Comment #6 From Robert Buchholz 2007-12-04 17:53:23 0000 ------- 
Arches, please test and mark stable app-shells/zsh-4.3.2-r3.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

------- Comment #7 From Tobias Scherbaum 2007-12-04 20:17:03 0000 ------- 
ppc stable

------- Comment #8 From Christian Faulhammer 2007-12-04 20:19:40 0000 ------- 
x86 stable

------- Comment #9 From Markus Rothe 2007-12-04 21:07:49 0000 ------- 
ppc64 stable

------- Comment #10 From Jeroen Roovers 2007-12-05 00:41:39 0000 ------- 
Stable for HPPA.

------- Comment #11 From Raúl Porcel 2007-12-05 11:19:04 0000 ------- 
alpha/ia64/sparc stable

------- Comment #12 From Steve Dibb 2007-12-06 05:07:04 0000 ------- 
amd64 stable

------- Comment #13 From Pierre-Yves Rofes 2007-12-08 23:36:58 0000 ------- 
voting time. I tend to vote No since the script usage seems to be extremely
unlikely, according to the zsh ml.

------- Comment #14 From Robert Buchholz 2007-12-09 01:28:43 0000 ------- 
voting NO, too. closing.

------- Comment #15 From Peter Volkov 2008-03-06 09:55:25 0000 ------- 
Does not affect current (2008.0) release. Removing release.
First Last Prev Next    No search results available      Search page      Enter new bug