201022 CVE-2007-6209 2007-12-02 21:02 0000 app-shells/zsh < 4.3.2-r3 insecure temporary file creation (CVE-2007-6209) 2008-03-06 09:55:25 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B3 [noglsa] P2 minor --- 1 py@gentoo.org security@gentoo.org pipping@gentoo.org tove@gentoo.org usata@gentoo.org py@gentoo.org 2007-12-02 21:02:22 0000 zsh provides a difflog.pl script in /usr/share/zsh/4.3.4/Util/difflog.pl which uses insecurely created files in /tmp, same kind of issue than bug #198231. Thanks to Elias Pipping for noticing. py@gentoo.org 2007-12-02 21:09:01 0000 Mamoru, do you know if upstream is aware of this? We could modify the feynmf patch, but having an official corrected release from upstream would probably be better. Any opinion? py@gentoo.org 2007-12-02 21:47:39 0000 (In reply to comment #1) > Mamoru, do you know if upstream is aware of this? We could modify the feynmf > patch, but having an official corrected release from upstream would probably be > better. Any opinion? > actually cc'ing maintainer :) tove@gentoo.org 2007-12-03 18:09:55 0000 usata announced his retirement recently. zsh devs are aware of the issue: http://www.zsh.org/mla/workers/2007/msg01060.html and follow ups (especially <http://www.zsh.org/mla/workers/2007/msg01065.html>) rbu@gentoo.org 2007-12-03 23:57:20 0000 Since the decision is going to be not to distribute that file, it should be removed from the ebuild. Anyone in cc on this bug willing to maintain this baby? If not, we should ask the dev community. tove@gentoo.org 2007-12-04 16:19:37 0000 I've just added two new ebuilds without difflog.pl (4.3.2-r3 and 4.3.4-r1). (BTW upstream has fixed the issue in their repo.) =app-shells/zsh-4.3.2-r3 should be stabilized again. Removing difflog.pl is the only substantial change. rbu@gentoo.org 2007-12-04 17:53:23 0000 Arches, please test and mark stable app-shells/zsh-4.3.2-r3. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" dertobi123@gentoo.org 2007-12-04 20:17:03 0000 ppc stable fauli@gentoo.org 2007-12-04 20:19:40 0000 x86 stable corsair@gentoo.org 2007-12-04 21:07:49 0000 ppc64 stable jer@gentoo.org 2007-12-05 00:41:39 0000 Stable for HPPA. armin76@gentoo.org 2007-12-05 11:19:04 0000 alpha/ia64/sparc stable beandog@gentoo.org 2007-12-06 05:07:04 0000 amd64 stable py@gentoo.org 2007-12-08 23:36:58 0000 voting time. I tend to vote No since the script usage seems to be extremely unlikely, according to the zsh ml. rbu@gentoo.org 2007-12-09 01:28:43 0000 voting NO, too. closing. pva@gentoo.org 2008-03-06 09:55:25 0000 Does not affect current (2008.0) release. Removing release.