94069 – dev-libs/log4sh <= 1.2.5 insecure temporary file creation

Bug 94069 - dev-libs/log4sh <= 1.2.5 insecure temporary file creation

Summary: dev-libs/log4sh <= 1.2.5 insecure temporary file creation

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-05-26 05:38 UTC by Romang
Modified:	2005-07-04 06:20 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
use mktemp instead of $$ (log4sh-mktemp.diff,316 bytes, patch) 2005-06-20 05:38 UTC, Tavis Ormandy (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Romang 2005-05-26 05:38:30 UTC

Hello,

Take a look on :

356 log4sh_readProperties()
357 {
358   _file=$1
359 
360   _tmpFile="/tmp/log4sh.$$"
361   grep "^log4sh\." $_file >$_tmpFile

Could overwrite arbitrary file with the right of the user using dev-libs/log4sh

Regards.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-06-01 05:39:50 UTC

Eric: was this pushed upstream ? If so, any news ?
If they don't answer we'll push our own patch in.

Comment 2 Romang 2005-06-09 01:14:16 UTC

Hello,

Vendor notified.

Regards.

Comment 3 Tavis Ormandy (RETIRED) gentoo-dev

2005-06-20 05:38:50 UTC

Created attachment 61570 [details, diff]
use mktemp instead of $$

suggested simple fix

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-06-24 06:09:15 UTC

Pulling in maintainer.

Comment 5 Aaron Walker (RETIRED) gentoo-dev

2005-06-24 06:20:51 UTC

It's in my overlay ready to commit whenever you guys give the word.

Comment 6 Romang 2005-06-27 00:39:18 UTC

Hello,

Publish to vendor-sec@lst.de

Regards

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2005-06-27 01:59:20 UTC

Release date set to 20050704

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2005-07-03 02:40:51 UTC

Should we prepare a GLSA on this one ?

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2005-07-04 01:38:30 UTC

Advisory is out.
Aaron: you can commit the stuff.
Security: please vote on GLSA need

Comment 10 Aaron Walker (RETIRED) gentoo-dev

2005-07-04 04:15:31 UTC

comitted, x86 stable.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2005-07-04 05:59:23 UTC

The config file is only used in specific cases, and log4sh isn't used in any
Gentoo-provided package. Voting half-NO.

Comment 12 Tavis Ormandy (RETIRED) gentoo-dev

2005-07-04 06:08:02 UTC

I agree, NO

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-04 06:20:30 UTC

Voting

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-04 06:20:30 UTC

Voting ½ NO as well -> Closing without GLSA.  
 
Thx everyone.