sch2eaglepos.sh in geda-gnetlist 1.4.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/##### temporary file. geda-gnetlist 1.4.0 is pulled in with the geda-1.4.0 package. Upstream appears to have an update to 1.4.1.20080929. Reproducible: Always
OK, I'll have a look at it. I'm normally away right now but I'm going to have some unexpected availability in the coming days. Denis.
patch here: http://cvs.fedoraproject.org/viewvc/rpms/geda-gnetlist/F-10/geda-gnetlist-CVE-mktemp.patch?revision=1.1&view=markup
The fix is now in CVS. Sorry for the delay. Security, feel free to go forward and close this bug whenever you want. Denis.
Arches please test and stabilize the fixed version.
Lets try this again... Arches please test and stabilize the fixed version.
To clarify, fixed version is geda-1.4.1, target keywords "amd64 ppc sparc x86" Thanks.
(In reply to comment #6) > To clarify, fixed version is geda-1.4.1, target keywords "amd64 ppc sparc x86" No. I fixed 1.4.0 and used the same sed for 1.4.1 when I added it, which was after fixing 1.4.0. If arches want to stabilize 1.4.1 they have my blessing (although it hasn't been in the tree for a month yet, far from that), but that has nothing to do with the current security issue and should probably be dealt with in another bug. Denis.
Um, do I get this right that you've changed the current stable ebuild to fix that bug? I highly doubt this was a good idea. First, it could've lead to breakage (maybe arch-specific), which would not have been caught by the arch testing process. Luckily, this has apparently not been the case, but one issue is still remaining: We can't give users sane instructions how to fix that bug -- remerge the package? Does not sound like a good idea. Please either provide an -r1 version of the 1.4.0 ebuild (as an exact copy, not sure about KEYWORDS then though) or give your explicit ok for stabling 1.4.1 and avoid changing stable ebuilds (or maybe non-p.mask'ed packages in general) in the future, especially in case of security problems. Sorry if I got this all wrong, please don't feel offended, I'm just trying to get the bug resolved properly. :) Thanks ;) Removing arches and reverting whiteboard to [ebuild] until I / somebody else knows what exactly is the case. :)
(In reply to comment #8) > Sorry if I got this all wrong, please don't feel offended, I'm just trying to > get the bug resolved properly. :) No worries, I clearly screwed up. I'm currently away and fixed that from my hotel room and forgot to revbump in the process. Feel free to revbump now if you want, or I'll do it in 14 hours when I'll have a better connection. Sorry about this. Denis.
(In reply to comment #8) > Please either provide an -r1 version of the 1.4.0 ebuild (as an exact copy, not > sure about KEYWORDS then though) or give your explicit ok for stabling 1.4.1 > and avoid changing stable ebuilds (or maybe non-p.mask'ed packages in general) > in the future, especially in case of security problems. Done, and straight to stable as the change is really minor in a rarely used function of a package used by few people only. Sorry again about the mess. Denis.
The script is installed to /usr/bin, so I vote YES.
I vote no, as it's "just" a symlink attack on a script which is barely used.
yes too, request filed.
GLSA 200903-08