68406 2004-10-21 07:58 0000 sys-fs/lvm-user: Insecure tmpfile use 2004-11-11 13:28:57 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136308 B3 [glsa] koon P1 minor --- 1 koon@gentoo.org security@gentoo.org base-system@gentoo.org koon@gentoo.org 2004-10-21 07:58:37 0000 CAN-2004-0972 The lvmcreate_initrd script in the lvm package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. koon@gentoo.org 2004-10-21 08:06:58 0000 Created an attachment (id=42316) Patch from RedHat bug Patch from RedHat koon@gentoo.org 2004-10-22 08:11:11 0000 We have two lvm packages in our tree, lvm-user for LVM 1.* and lvm2 for LVM 2.*. The script is only in LVM 1.* releases. So we should either remove the package or fix it :) koon@gentoo.org 2004-10-30 09:27:54 0000 base-system: please either fix this or remove lvm-user altogether. I'm sure you prefer we don't mess with it ourselves :) vorlon@gentoo.org 2004-11-02 02:39:43 0000 Debian bug report: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=279229> Diff from Ubuntu Linux (full diff to orig package including typical Debian stuff): <http://security.ubuntu.com/ubuntu/pool/main/l/lvm10/lvm10_1.0.8-4ubuntu1.1.diff.gz> koon@gentoo.org 2004-11-05 06:12:26 0000 Patch in attachment applies cleanly to lvm-user-1.0.7-r1. vapier@gentoo.org 2004-11-09 21:56:56 0000 1.0.7-r2 is in portage with the fix jaervosz@gentoo.org 2004-11-09 23:03:08 0000 Arches please mark stable. gustavoz@gentoo.org 2004-11-10 04:48:05 0000 What stable? vapier bumped every one to stable directly... koon@gentoo.org 2004-11-10 04:58:18 0000 Sune obviously needs some rest :) Sorry for the inconvenience... jaervosz@gentoo.org 2004-11-11 13:28:57 0000 GLSA 200411-22 42316 2004-10-21 08:06 0000 Patch from RedHat bug lvm-1.0.8-tempfile.patch text/plain ZGlmZiAtdXIgTFZNLm9yaWcvMS4wLjgvdG9vbHMvbHZtY3JlYXRlX2luaXRyZCBMVk0vMS4wLjgv dG9vbHMvbHZtY3JlYXRlX2luaXRyZAotLS0gTFZNLm9yaWcvMS4wLjgvdG9vbHMvbHZtY3JlYXRl X2luaXRyZAkyMDAzLTExLTE3IDE2OjU4OjU2LjAwMDAwMDAwMCArMDEwMAorKysgTFZNLzEuMC44 L3Rvb2xzL2x2bWNyZWF0ZV9pbml0cmQJMjAwNC0wOS0xMyAxMjowNzoyMy4wMDAwMDAwMDAgKzAy MDAKQEAgLTIzMyw2ICsyMzMsMTAgQEAKICMgcnVuIG91dCBvZiByb29tIG9uIHRoZSByYW1kaXNr IHdoaWxlIHN0cmlwcGluZyB0aGUgbGlicmFyaWVzLgogZWNobyAiJGNtZCAtLSBzdHJpcHBpbmcg c2hhcmVkIGxpYnJhcmllcyIKIG1rZGlyICRUTVBMSUIKK2lmIFsgJD8gLW5lIDAgXTsgdGhlbgor ICAgZWNobyAiJGNtZCAtLSBFUlJPUiBtYWtpbmcgJFRNUExJQiIKKyAgIGNsZWFudXAgMQorZmkK IGZvciBMSUIgaW4gJFNITElCUzsgZG8KICAgIHZlcmJvc2UgImNvcHkgJExJQiB0byAkVE1QTElC JExJQiIKICAgIG1rZGlyIC1wIGBkaXJuYW1lICRUTVBMSUIkTElCYAo=