Bug 201022 - app-shells/zsh < 4.3.2-r3 insecure temporary file creation (CVE-2007-6209)
Bug#: 201022 (CVE-2007-6209) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: py@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-shells/zsh < 4.3.2-r3 insecure temporary file creation (CVE-2007-6209)
Keywords:  
Status Whiteboard: B3 [noglsa]
Opened: 2007-12-02 21:02 0000
Description:   Opened: 2007-12-02 21:02 0000 
zsh provides a difflog.pl script in /usr/share/zsh/4.3.4/Util/difflog.pl which
uses insecurely created files in /tmp, same kind of issue than bug #198231.
Thanks to Elias Pipping for noticing.

------- Comment #1 From Pierre-Yves Rofes 2007-12-02 21:09:01 0000 ------- 
Mamoru, do you know if upstream is aware of this? We could modify the feynmf
patch, but having an official corrected release from upstream would probably be
better. Any opinion?

------- Comment #2 From Pierre-Yves Rofes 2007-12-02 21:47:39 0000 ------- 
(In reply to comment #1)
> Mamoru, do you know if upstream is aware of this? We could modify the feynmf
> patch, but having an official corrected release from upstream would probably be
> better. Any opinion?
> 

actually cc'ing maintainer :)

------- Comment #3 From Torsten Veller 2007-12-03 18:09:55 0000 ------- 
usata announced his retirement recently.

zsh devs are aware of the issue:
http://www.zsh.org/mla/workers/2007/msg01060.html and follow ups (especially
<http://www.zsh.org/mla/workers/2007/msg01065.html>)

------- Comment #4 From Robert Buchholz 2007-12-03 23:57:20 0000 ------- 
Since the decision is going to be not to distribute that file, it should be
removed from the ebuild.

Anyone in cc on this bug willing to maintain this baby? If not, we should ask
the dev community.

------- Comment #5 From Torsten Veller 2007-12-04 16:19:37 0000 ------- 
I've just added two new ebuilds without difflog.pl (4.3.2-r3 and 4.3.4-r1).
(BTW upstream has fixed the issue in their repo.)

=app-shells/zsh-4.3.2-r3 should be stabilized again. Removing difflog.pl is the
only substantial change.

------- Comment #6 From Robert Buchholz 2007-12-04 17:53:23 0000 ------- 
Arches, please test and mark stable app-shells/zsh-4.3.2-r3.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

------- Comment #7 From Tobias Scherbaum 2007-12-04 20:17:03 0000 ------- 
ppc stable

------- Comment #8 From Christian Faulhammer 2007-12-04 20:19:40 0000 ------- 
x86 stable

------- Comment #9 From Markus Rothe 2007-12-04 21:07:49 0000 ------- 
ppc64 stable

------- Comment #10 From Jeroen Roovers 2007-12-05 00:41:39 0000 ------- 
Stable for HPPA.

------- Comment #11 From Raúl Porcel 2007-12-05 11:19:04 0000 ------- 
alpha/ia64/sparc stable

------- Comment #12 From Steve Dibb 2007-12-06 05:07:04 0000 ------- 
amd64 stable

------- Comment #13 From Pierre-Yves Rofes 2007-12-08 23:36:58 0000 ------- 
voting time. I tend to vote No since the script usage seems to be extremely
unlikely, according to the zsh ml.

------- Comment #14 From Robert Buchholz 2007-12-09 01:28:43 0000 ------- 
voting NO, too. closing.

------- Comment #15 From Peter Volkov 2008-03-06 09:55:25 0000 ------- 
Does not affect current (2008.0) release. Removing release.