Summary: | app-text/noweb,sci-mathematics/axiom - insecure temporary file creation (CVE-2005-3342) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | plasmaroo, text-markup+disabled | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Carsten Lohrke (RETIRED)
2006-02-13 09:58:41 UTC
from DSA 968-1: Javier Fernández-Sanguino Peña from the Debian Security Audit project discovered that a script in noweb, a web like literate-programming tool, creates a temporary file in an insecure fashion. Interesting to not is that there was a similar issue years ago ( bug 22972 ). The DSA is too unspecific to say if the same problem reappeard. sci-mathematics/axiom might be affected by this as it includes its own noweb... text-markup please advise Created attachment 80004 [details, diff]
noweb-2.9-insecure-tmp-file.patch
I have fixed it in CVS for noweb.
The problem was much the same as the old bug, just in some new files.
I took the debian patch and extracted the difference (see the attachment) and added it to the old noweb-2.9-security.patch and bumped both the unstable and stable revision.
@plasmaroo: The attachment is for your sake, if it applies to axiom as well.
Btw. this is my first response to a security bug, so please tell me if I did anything wrong :)
Looks good to me. ready for glsa vote. I tend to vote yes. ok, lets have a glsa GLSA 200602-14 |