Hello, Take a look on : 356 log4sh_readProperties() 357 { 358 _file=$1 359 360 _tmpFile="/tmp/log4sh.$$" 361 grep "^log4sh\." $_file >$_tmpFile Could overwrite arbitrary file with the right of the user using dev-libs/log4sh Regards.
Eric: was this pushed upstream ? If so, any news ? If they don't answer we'll push our own patch in.
Hello, Vendor notified. Regards.
Created attachment 61570 [details, diff] use mktemp instead of $$ suggested simple fix
Pulling in maintainer.
It's in my overlay ready to commit whenever you guys give the word.
Hello, Publish to vendor-sec@lst.de Regards
Release date set to 20050704
Should we prepare a GLSA on this one ?
Advisory is out. Aaron: you can commit the stuff. Security: please vote on GLSA need
comitted, x86 stable.
The config file is only used in specific cases, and log4sh isn't used in any Gentoo-provided package. Voting half-NO.
I agree, NO
Voting
Voting ½ NO as well -> Closing without GLSA. Thx everyone.