106105 2005-09-15 13:43 0000 sys-apps/texinfo: Insecure temporary file creation (CAN-2005-3011) 2005-10-08 01:56:04 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328365 A3 [glsa] P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org jaervosz@gentoo.org 2005-09-15 13:43:51 0000 Not sure wether this affects our version: There is a race condition on creating temporary files in texindex. koon@gentoo.org 2005-09-16 02:02:48 0000 Pulling in maintainer. koon@gentoo.org 2005-09-17 06:12:08 0000 I checked, our 4.8 is affected. koon@gentoo.org 2005-09-21 05:45:27 0000 base-system please advise... vapier@gentoo.org 2005-09-25 00:33:37 0000 seems to be fixed in texinfo-4.8 which has been in stable for all arches for quite a while http://savannah.gnu.org/cgi-bin/viewcvs/texinfo/texinfo/util/texindex.c.diff?r1=1.3&r2=1.4 texinfo-4.8 uses texindex.c rev 1.11 which is much higher than the fixed rev 1.4 :) koon@gentoo.org 2005-09-25 01:36:28 0000 vapier: affected code (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328365) is still in 4.8. I think it's a different set of tempfile fixes. Debian's 4.7 version is affected and 4.7 is based on rev 1.11, like 4.8. vapier@gentoo.org 2005-09-25 02:06:10 0000 Created an attachment (id=69199) texinfo-texindex-tempfile.patch indeed ... so what about this patch ? koon@gentoo.org 2005-09-25 05:44:47 0000 Looks sane to me, but I may miss something (esp. in my current state), better ask TheTavis to have a look. taviso@gentoo.org 2005-09-26 05:31:34 0000 Does the patch work? I havnt looked at texinfo code but if i'm reading it correctly, it passes mkstemp a char* that ends with .123, iirc mkstemp expects it to end with XXX... Does that new fd get released anywhere? otherwise this patch adds an fd leak. vapier@gentoo.org 2005-09-26 05:56:39 0000 indeed, that mkstemp should be changed to open() like in bsd vapier@gentoo.org 2005-09-29 00:38:50 0000 Created an attachment (id=69463) texinfo-texindex-tempfile.patch this should do it then taviso@gentoo.org 2005-09-29 01:00:24 0000 Yep, patch looks good to me. vapier@gentoo.org 2005-09-29 01:52:15 0000 texinfo-4.8-r1 now in portage then koon@gentoo.org 2005-09-29 02:38:41 0000 Let the race begin, test and mark stable... ferdy@gentoo.org 2005-09-29 02:58:34 0000 Looks fine on alpha, marked stable. Cheers, Ferdy hansmi@gentoo.org 2005-09-29 08:41:33 0000 Stable on hppa, ppc. ticho@gentoo.org 2005-09-29 09:56:14 0000 x86 happy ka0ttic@gentoo.org 2005-09-29 10:15:11 0000 mips stable gustavoz@gentoo.org 2005-09-29 10:26:44 0000 sparc stable. corsair@gentoo.org 2005-09-30 11:18:03 0000 stable on ppc64 blubb@gentoo.org 2005-09-30 13:06:06 0000 amd64 stable matsuu@gentoo.org 2005-09-30 14:25:35 0000 stable on sh. kloeri@gentoo.org 2005-10-01 17:30:15 0000 Stable on ia64. koon@gentoo.org 2005-10-05 05:48:42 0000 GLSA 200510-04 arm and s390 should mark stable to benefit from GLSA gengor@gentoo.org 2005-10-07 16:01:59 0000 Gentlemen, please see: http://bugs.gentoo.org/show_bug.cgi?id=108416 koon@gentoo.org 2005-10-08 01:56:04 0000 Apparently our patch sucks, SpanKY please see bug 108416 for details. 69199 2005-09-25 02:06 0000 texinfo-texindex-tempfile.patch texinfo-texindex-tempfile.patch text/plain SW5kZXg6IHV0aWwvdGV4aW5kZXguYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvY3Zzcm9vdC90ZXhp bmZvL3RleGluZm8vdXRpbC90ZXhpbmRleC5jLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjEzCmRp ZmYgLXUgLXAgLXIxLjEzIHRleGluZGV4LmMKLS0tIHV0aWwvdGV4aW5kZXguYwkxOSBBdWcgMjAw NSAyMjoyMzo1NCAtMDAwMAkxLjEzCisrKyB1dGlsL3RleGluZGV4LmMJMjUgU2VwIDIwMDUgMDk6 MDU6MzQgLTAwMDAKQEAgLTk5LDYgKzk5LDkgQEAgbG9uZyBubGluZXM7CiAvKiBEaXJlY3Rvcnkg dG8gdXNlIGZvciB0ZW1wb3JhcnkgZmlsZXMuICBPbiBVbml4LCBpdCBlbmRzIHdpdGggYSBzbGFz aC4gICovCiBjaGFyICp0ZW1wZGlyOwogCisvKiBCYXNlbmFtZSBmb3IgdGVtcCBmaWxlcyBpbnNp ZGUgb2YgdGVtcGRpci4gICovCitjaGFyICp0ZW1wYmFzZTsKKwogLyogTnVtYmVyIG9mIGxhc3Qg dGVtcG9yYXJ5IGZpbGUuICAqLwogaW50IHRlbXBjb3VudDsKIApAQCAtMTkwLDYgKzE5MywxMSBA QCBtYWluIChpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAKICAgZGVjb2RlX2NvbW1hbmQgKGFyZ2Ms IGFyZ3YpOwogCisgIC8qIFhYWCBta3N0ZW1wIG5vdCBhcHByb3ByaWF0ZSwgYXMgd2UgbmVlZCB0 byBoYXZlIHNvbWV3aGF0IHByZWRpY3RhYmxlCisgICAqIG5hbWVzLiBCdXQgcmFjZSBjb25kaXRp b24gd2FzIGZpeGVkLCBzZWUgbWFrZXRlbXBuYW1lLiAKKyAgICovCisgIHRlbXBiYXNlID0gbWt0 ZW1wICgidHhpZHhYWFhYWFgiKTsKKwogICAvKiBQcm9jZXNzIGlucHV0IGZpbGVzIGNvbXBsZXRl bHksIG9uZSBieSBvbmUuICAqLwogCiAgIGZvciAoaSA9IDA7IGkgPCBudW1faW5maWxlczsgaSsr KQpAQCAtMzkyLDIxICs0MDAsMjAgQEAgRm9yIG1vcmUgaW5mb3JtYXRpb24gYWJvdXQgdGhlc2Ug bWF0dGVycwogc3RhdGljIGNoYXIgKgogbWFrZXRlbXBuYW1lIChpbnQgY291bnQpCiB7Ci0gIHN0 YXRpYyBjaGFyICp0ZW1wYmFzZSA9IE5VTEw7CiAgIGNoYXIgdGVtcHN1ZmZpeFsxMF07Ci0KLSAg aWYgKCF0ZW1wYmFzZSkKLSAgICB7Ci0gICAgICBpbnQgZmQ7Ci0gICAgICB0ZW1wYmFzZSA9IGNv bmNhdCAodGVtcGRpciwgInR4aWR4WFhYWFhYIik7Ci0KLSAgICAgIGZkID0gbWtzdGVtcCAodGVt cGJhc2UpOwotICAgICAgaWYgKGZkID09IC0xKQotICAgICAgICBwZmF0YWxfd2l0aF9uYW1lICh0 ZW1wYmFzZSk7Ci0gICAgfQorICBjaGFyICpuYW1lLCAqdG1wX25hbWU7CisgIGludCBmZDsKIAog ICBzcHJpbnRmICh0ZW1wc3VmZml4LCAiLiVkIiwgY291bnQpOwotICByZXR1cm4gY29uY2F0ICh0 ZW1wYmFzZSwgdGVtcHN1ZmZpeCk7CisgIHRtcF9uYW1lID0gY29uY2F0ICh0ZW1wZGlyLCB0ZW1w YmFzZSk7CisgIG5hbWUgPSBjb25jYXQgKHRtcF9uYW1lLCB0ZW1wc3VmZml4KTsKKyAgZnJlZSh0 bXBfbmFtZSk7CisKKyAgZmQgPSBta3N0ZW1wIChuYW1lKTsKKyAgaWYgKGZkID09IC0xKQorICAg IHBmYXRhbF93aXRoX25hbWUgKG5hbWUpOworCisgIHJldHVybiBuYW1lOwogfQogCiAK 69463 2005-09-29 00:38 0000 texinfo-texindex-tempfile.patch texinfo-texindex-tempfile.patch text/plain SW5kZXg6IHV0aWwvdGV4aW5kZXguYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvY3Zzcm9vdC90ZXhp bmZvL3RleGluZm8vdXRpbC90ZXhpbmRleC5jLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjEzCmRp ZmYgLXUgLXAgLXIxLjEzIHRleGluZGV4LmMKLS0tIHV0aWwvdGV4aW5kZXguYwkxOSBBdWcgMjAw NSAyMjoyMzo1NCAtMDAwMAkxLjEzCisrKyB1dGlsL3RleGluZGV4LmMJMjUgU2VwIDIwMDUgMDk6 MDU6MzQgLTAwMDAKQEAgLTk5LDYgKzk5LDkgQEAgbG9uZyBubGluZXM7CiAvKiBEaXJlY3Rvcnkg dG8gdXNlIGZvciB0ZW1wb3JhcnkgZmlsZXMuICBPbiBVbml4LCBpdCBlbmRzIHdpdGggYSBzbGFz aC4gICovCiBjaGFyICp0ZW1wZGlyOwogCisvKiBCYXNlbmFtZSBmb3IgdGVtcCBmaWxlcyBpbnNp ZGUgb2YgdGVtcGRpci4gICovCitjaGFyICp0ZW1wYmFzZTsKKwogLyogTnVtYmVyIG9mIGxhc3Qg dGVtcG9yYXJ5IGZpbGUuICAqLwogaW50IHRlbXBjb3VudDsKIApAQCAtMTkwLDYgKzE5MywxMSBA QCBtYWluIChpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAKICAgZGVjb2RlX2NvbW1hbmQgKGFyZ2Ms IGFyZ3YpOwogCisgIC8qIFhYWCBta3N0ZW1wIG5vdCBhcHByb3ByaWF0ZSwgYXMgd2UgbmVlZCB0 byBoYXZlIHNvbWV3aGF0IHByZWRpY3RhYmxlCisgICAqIG5hbWVzLiBCdXQgcmFjZSBjb25kaXRp b24gd2FzIGZpeGVkLCBzZWUgbWFrZXRlbXBuYW1lLiAKKyAgICovCisgIHRlbXBiYXNlID0gbWt0 ZW1wICgidHhpZHhYWFhYWFgiKTsKKwogICAvKiBQcm9jZXNzIGlucHV0IGZpbGVzIGNvbXBsZXRl bHksIG9uZSBieSBvbmUuICAqLwogCiAgIGZvciAoaSA9IDA7IGkgPCBudW1faW5maWxlczsgaSsr KQpAQCAtMzkyLDIxICs0MDAsMjEgQEAgRm9yIG1vcmUgaW5mb3JtYXRpb24gYWJvdXQgdGhlc2Ug bWF0dGVycwogc3RhdGljIGNoYXIgKgogbWFrZXRlbXBuYW1lIChpbnQgY291bnQpCiB7Ci0gIHN0 YXRpYyBjaGFyICp0ZW1wYmFzZSA9IE5VTEw7CiAgIGNoYXIgdGVtcHN1ZmZpeFsxMF07Ci0KLSAg aWYgKCF0ZW1wYmFzZSkKLSAgICB7Ci0gICAgICBpbnQgZmQ7Ci0gICAgICB0ZW1wYmFzZSA9IGNv bmNhdCAodGVtcGRpciwgInR4aWR4WFhYWFhYIik7Ci0KLSAgICAgIGZkID0gbWtzdGVtcCAodGVt cGJhc2UpOwotICAgICAgaWYgKGZkID09IC0xKQotICAgICAgICBwZmF0YWxfd2l0aF9uYW1lICh0 ZW1wYmFzZSk7Ci0gICAgfQorICBjaGFyICpuYW1lLCAqdG1wX25hbWU7CisgIGludCBmZDsKIAog ICBzcHJpbnRmICh0ZW1wc3VmZml4LCAiLiVkIiwgY291bnQpOwotICByZXR1cm4gY29uY2F0ICh0 ZW1wYmFzZSwgdGVtcHN1ZmZpeCk7CisgIHRtcF9uYW1lID0gY29uY2F0ICh0ZW1wZGlyLCB0ZW1w YmFzZSk7CisgIG5hbWUgPSBjb25jYXQgKHRtcF9uYW1lLCB0ZW1wc3VmZml4KTsKKyAgZnJlZSh0 bXBfbmFtZSk7CisKKyAgZmQgPSBvcGVuIChuYW1lLCBPX0NSRUFUfE9fRVhDTHxPX1dST05MWSwg MDYwMCk7CisgIGlmIChmZCA9PSAtMSkKKyAgICBwZmF0YWxfd2l0aF9uYW1lIChuYW1lKTsKKwor ICBjbG9zZShmZCk7CisgIHJldHVybiBuYW1lOwogfQogCiAK