Bug 106105 - sys-apps/texinfo: Insecure temporary file creation (CAN-2005-3011)
Bug#: 106105 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328365
Summary: sys-apps/texinfo: Insecure temporary file creation (CAN-2005-3011)
Keywords:  
Status Whiteboard: A3 [glsa]
Opened: 2005-09-15 13:43 0000
Description:   Opened: 2005-09-15 13:43 0000 
Not sure wether this affects our version: 
 
There is a race condition on creating temporary files in texindex.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-09-16 02:02:48 0000 ------- 
Pulling in maintainer.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-09-17 06:12:08 0000 ------- 
I checked, our 4.8 is affected.

------- Comment #3 From Thierry Carrez (RETIRED) 2005-09-21 05:45:27 0000 ------- 
base-system please advise...

------- Comment #4 From SpanKY 2005-09-25 00:33:37 0000 ------- 
seems to be fixed in texinfo-4.8 which has been in stable for all arches for
quite a while

http://savannah.gnu.org/cgi-bin/viewcvs/texinfo/texinfo/util/texindex.c.diff?r1=1.3&r2=1.4

texinfo-4.8 uses texindex.c rev 1.11 which is much higher than the fixed rev 1.4 :)

------- Comment #5 From Thierry Carrez (RETIRED) 2005-09-25 01:36:28 0000 ------- 
vapier: affected code (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328365) is still in 4.8. I
think it's a different set of tempfile fixes. Debian's 4.7 version is affected
and 4.7 is based on rev 1.11, like 4.8.

------- Comment #6 From SpanKY 2005-09-25 02:06:10 0000 ------- 
Created an attachment (id=69199) [details]
texinfo-texindex-tempfile.patch

indeed ... so what about this patch ?

------- Comment #7 From Thierry Carrez (RETIRED) 2005-09-25 05:44:47 0000 ------- 
Looks sane to me, but I may miss something (esp. in my current state), better
ask TheTavis to have a look.

------- Comment #8 From Tavis Ormandy (RETIRED) 2005-09-26 05:31:34 0000 ------- 
Does the patch work?

I havnt looked at texinfo code but if i'm reading it correctly, it passes 
mkstemp a char* that ends with .123, iirc mkstemp expects it to end with XXX...

Does that new fd get released anywhere? otherwise this patch adds an fd leak.

------- Comment #9 From SpanKY 2005-09-26 05:56:39 0000 ------- 
indeed, that mkstemp should be changed to open() like in bsd

------- Comment #10 From SpanKY 2005-09-29 00:38:50 0000 ------- 
Created an attachment (id=69463) [details]
texinfo-texindex-tempfile.patch

this should do it then

------- Comment #11 From Tavis Ormandy (RETIRED) 2005-09-29 01:00:24 0000 ------- 
Yep, patch looks good to me.

------- Comment #12 From SpanKY 2005-09-29 01:52:15 0000 ------- 
texinfo-4.8-r1 now in portage then

------- Comment #13 From Thierry Carrez (RETIRED) 2005-09-29 02:38:41 0000 ------- 
Let the race begin, test and mark stable...

------- Comment #14 From Fernando J. Pereda (RETIRED) 2005-09-29 02:58:34 0000 ------- 
Looks fine on alpha, marked stable.

Cheers,
Ferdy

------- Comment #15 From Michael Hanselmann (hansmi) (RETIRED) 2005-09-29 08:41:33 0000 ------- 
Stable on hppa, ppc.

------- Comment #16 From Andrej Kacian (RETIRED) 2005-09-29 09:56:14 0000 ------- 
x86 happy

------- Comment #17 From Aaron Walker (RETIRED) 2005-09-29 10:15:11 0000 ------- 
mips stable

------- Comment #18 From Gustavo Zacarias (RETIRED) 2005-09-29 10:26:44 0000 ------- 
sparc stable.

------- Comment #19 From Markus Rothe 2005-09-30 11:18:03 0000 ------- 
stable on ppc64

------- Comment #20 From Simon Stelling (RETIRED) 2005-09-30 13:06:06 0000 ------- 
amd64 stable

------- Comment #21 From MATSUU Takuto 2005-09-30 14:25:35 0000 ------- 
stable on sh.

------- Comment #22 From Bryan Østergaard (RETIRED) 2005-10-01 17:30:15 0000 ------- 
Stable on ia64.

------- Comment #23 From Thierry Carrez (RETIRED) 2005-10-05 05:48:42 0000 ------- 
GLSA 200510-04
arm and s390 should mark stable to benefit from GLSA

------- Comment #24 From Gordon Malm 2005-10-07 16:01:59 0000 ------- 
Gentlemen, please see:

http://bugs.gentoo.org/show_bug.cgi?id=108416

------- Comment #25 From Thierry Carrez (RETIRED) 2005-10-08 01:56:04 0000 ------- 
Apparently our patch sucks, SpanKY please see bug 108416 for details.