Bug 195996 - media-gfx/hugin < 0.6.1-r1 Insecure temporary file creation (CVE-2007-5200)
Bug#: 195996 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/27623/
Summary: media-gfx/hugin < 0.6.1-r1 Insecure temporary file creation (CVE-2007-5200)
Keywords:  
Status Whiteboard: B3 [glsa]
Opened: 2007-10-15 23:14 0000
Description:   Opened: 2007-10-15 23:14 0000 
CVE-2007-5200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5200):
  hugin in SUSE openSUSE 10.2 and 10.3 allows local users to overwrite
  arbitrary files via a symlink attack on a temporary file.

------- Comment #1 From Robert Buchholz 2007-10-15 23:18:48 0000 ------- 
This does not only affect SuSe, but seems to be an upstream problem. Attching
patch applied by suse. It removes debug logging functionality, though.

Graphics, please advise and contact upstream about it. They do not have any fix
in their repository yet.

------- Comment #2 From Robert Buchholz 2007-10-15 23:19:18 0000 ------- 
Created an attachment (id=133580) [details]
hugin-0.6.1-optim_file.patch

------- Comment #3 From Robert Buchholz 2007-10-25 17:50:58 0000 ------- 
nion from Debian security created a proper patch that was included in the
upstream repository:
http://people.debian.org/~nion/nmu-diff/hugin-0.6.1-1_0.6.1-1.1.patch

------- Comment #4 From Robert Buchholz 2007-10-25 23:12:09 0000 ------- 
Upstream is not going to release an update to their stable 0.6 branch and the
new release is not within days. Graphics, please provide an updated ebuild with
the patch applied.

------- Comment #5 From Luca Barbato 2007-10-25 23:41:45 0000 ------- 
ebuild prepared

------- Comment #6 From Robert Buchholz 2007-10-25 23:55:29 0000 ------- 
Faster than lightning! Thanks.

Arches, please test and mark stable media-gfx/hugin-0.6.1-r1.
Target keywords : "amd64 ppc x86"

------- Comment #7 From Luca Barbato 2007-10-26 01:01:18 0000 ------- 
ppc stable

------- Comment #8 From Markus Meier 2007-10-26 10:16:52 0000 ------- 
x86 stable, luca did you forget to commit? readding ppc

------- Comment #9 From Luca Barbato 2007-10-26 16:58:08 0000 ------- 
done eventually

------- Comment #10 From Peter Weller 2007-11-14 07:03:44 0000 ------- 
amd64 done, closing

------- Comment #11 From Pierre-Yves Rofes 2007-11-14 09:04:04 0000 ------- 
?? please let security team close security bugs.
glsa vote open. I tend to vote YES.

------- Comment #12 From Robert Buchholz 2007-11-14 17:51:29 0000 ------- 
Voting YES.

------- Comment #13 From Pierre-Yves Rofes 2007-11-17 23:48:11 0000 ------- 
glsa filed.

------- Comment #14 From Robert Buchholz 2007-11-18 16:22:41 0000 ------- 
As it seems, our unstable 0.7_beta4 is still vulnerable to this. Can it be
removed or updated with a more current SVN snapshot?

------- Comment #15 From Pierre-Yves Rofes 2007-11-29 22:02:53 0000 ------- 
(In reply to comment #14)
> As it seems, our unstable 0.7_beta4 is still vulnerable to this. Can it be
> removed or updated with a more current SVN snapshot?
> 

*ping*

------- Comment #16 From Markus Meier 2007-12-03 16:41:30 0000 ------- 
(In reply to comment #14)
> As it seems, our unstable 0.7_beta4 is still vulnerable to this. Can it be
> removed or updated with a more current SVN snapshot?

I ported the fix from 0.6 to 0.7 series (just a different line#).

------- Comment #17 From Robert Buchholz 2007-12-03 16:47:25 0000 ------- 
Please do not close security bugs.

------- Comment #18 From Pierre-Yves Rofes 2007-12-05 22:29:11 0000 ------- 
GLSa 200712-01, sorry for the delay.