Bug 119309 - app-text/antiword - insecure temporary file (CVE-2005-3126)
Bug#: 119309 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: carlo@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-text/antiword - insecure temporary file (CVE-2005-3126)
Keywords:  
Status Whiteboard: B3 [noglsa] jaervosz
Opened: 2006-01-17 10:13 0000
Description:   Opened: 2006-01-17 10:13 0000 
from DSA 945-1:

Javier Fern

------- Comment #1 From Carsten Lohrke 2006-01-17 10:13:51 0000 ------- 
from DSA 945-1:

Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that two scripts in antiword, utilities to convert Word
files to text and Postscript, create a temporary file in an insecure
fashion.



0.36.1 is affected as well and the relevant parts of the patch below should
apply.

http://security.debian.org/pool/updates/main/a/antiword/antiword_0.35-2sarge1.diff.gz

------- Comment #2 From Sune Kloppenborg Jeppesen 2006-01-17 11:50:38 0000 ------- 
Seemant please provide an updated ebuild.

------- Comment #3 From Seemant Kulleen (RETIRED) 2006-01-18 06:01:54 0000 ------- 
Created an attachment (id=77417) [details]
updated ebuild

updated ebuild -- see distfiles in /space/distfiles-local on toucan

------- Comment #4 From Seemant Kulleen (RETIRED) 2006-01-18 06:02:13 0000 ------- 
Sune: there it is.

------- Comment #5 From Seemant Kulleen (RETIRED) 2006-01-18 06:11:26 0000 ------- 
Actually, it's committed into cvs.  Please test and mark stable as appropriate.

------- Comment #6 From Thierry Carrez (RETIRED) 2006-01-18 07:02:23 0000 ------- 
Arches please test and mark stable
Target KEYWORDS="alpha amd64 ~hppa ppc ~ppc-macos ppc64 sparc x86"

------- Comment #7 From Tobias Scherbaum 2006-01-18 08:38:36 0000 ------- 
ppc stable

------- Comment #8 From Markus Rothe 2006-01-18 08:55:52 0000 ------- 
stable on ppc64

------- Comment #9 From Gustavo Zacarias (RETIRED) 2006-01-18 09:44:58 0000 ------- 
sparc stable.

------- Comment #10 From Paul Varner 2006-01-18 11:22:08 0000 ------- 
Stable on x86

------- Comment #11 From Simon Stelling (RETIRED) 2006-01-18 11:34:57 0000 ------- 
amd64 stable

------- Comment #12 From Jose Luis Rivero (yoswink) 2006-01-19 17:14:51 0000 ------- 
alpha stable. 

Sorry about the delay :(

------- Comment #13 From Stefan Cornelius (RETIRED) 2006-01-22 15:47:41 0000 ------- 
glsa vote for this one, tend to say yes.

------- Comment #14 From Tavis Ormandy (RETIRED) 2006-01-22 17:04:21 0000 ------- 
background: only the wrapper script to make drag and drop work for KDE1 users
is affected, ie if you use antiword from command line or in KDE3, you're safe.

so, as very few users are likely to be affected, i would vote NO.

------- Comment #15 From Stefan Cornelius (RETIRED) 2006-01-22 17:09:13 0000 ------- 
Correcting my vote to a no and closing the bug as fixed with no glsa. As
always, feel free to reopen if you disagree.