| Summary: | dev-util/cvs temp file issues (vendor-sec) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/cvs/ | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Marcus found that cvsbug still has a tmp file problem. Although it creates files using mktemp it removes one of them in the middle of the script and then writes to it again. This should fix it: Index: cvs-1.12.12/src/cvsbug.in =================================================================== --- cvs-1.12.12.orig/src/cvsbug.in +++ cvs-1.12.12/src/cvsbug.in @@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP ORIGINATOR="`cat $TEMP`" - rm -f $TEMP + > $TEMP fi fi if [ "$ORIGINATOR" = "" ]; then grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP ORIGINATOR="`cat $TEMP`" - rm -f $TEMP + > $TEMP fi if [ -n "$ORGANIZATION" ]; then We are not going to release security updates just for this and I don't think it justifies an embargo, anyone disagree? --- Full Owl patches in URL.