Problem description: Trustix Security Engineers identified that all these packages had one or more script(s) that handled temporary files in an insecure manner. While it is not believed that any of these holes could lead to privilege escalation, it would be possible to trick the scripts to overwrite data writable by the user that invokes the script. These problems can only be exploited by local users, and they would have to wait for someone else, preferably root, to run the vulnerable scripts.
Created attachment 41095 [details, diff] gettext-0.14.1-tempfile.patch Patch from Trustix to fix tempfile insecurities.
base-system guys, please verify and apply patch if necessary. The stable version of gettext, 0.12.1, seems to be vulnerable to this as well.
The newest revision we have in portage right now is gettext-0.12.1-r1 looks like we might want to consider a newer version all together. testing..
Oh even better Mike Frysinger just told me he is already working on this one.
version bumped in cvs; everyone needs loving on this one
archs, please mark gettext-0.14.1 stable.
stable on amd64...
Stable on alpha.
arm/hppa/ia64/s390 == OUTTA SIGHT
I'm getting failed tests: format-java-1 and format-java-2 with bus errors. This passed on gettext-0.12.1 so it's somewhat suspicious, did anyone test this on != sparc?
stable on ppc
Since i installed gettext 0.14.1 i get this error, can someone see to this? /usr/bin/xgettext: error while loading shared libraries: libgettextlib-0.12.1.so: cannot open shared object file: No such file or directory putted back to ~ppc untill the problem is solved
/usr/bin/xgettext: error while loading shared libraries: libgettextlib-0.12.1.so: cannot open shared object file: No such file or directory the fix is to run revdep-rebuild :P
sparc stable, with conjured patch for the java tests.
well, xgettext is part of gettext.. So revdep-rebuild doesnt help much here.. Is it being built against the system installed gettext instead of the version in its own directory? Btw, it seems to have built correctly here. I think 66485 is a dupe... and this one is on x86.. I'm holding it off on stabilizing on x86 until this is sorted out..
*** Bug 66485 has been marked as a duplicate of this bug. ***
masked 0.14.1 ... i'll release a new 0.12.1-r# with the patch
Back to ebuild status, current ebuild breaks things. NB to sec team: tempfile attacks are "3" not "4".
ok, i've added gettext-0.12.1-r2 to portage with the patch posted here ... one of the hunks is not relevant to 0.12.1 since it removes code that was added to gettext after this release lets try stablizing again shall we
archs, please mark gettext-0.12.1-r2 stable.
stable x86 and amd64
stable on sparc
stable on ppc but QA isn't ok: The patch is bigger then 20K!!!
done on hppa.
arm/ia64/s390 done
stable on ppc64, thanks!
GLSA 200410-10 mips, please mark stable to benefit from GLSA.
Stable on mips.