Bug 66355 - sys-devel/gettext: Insecure tempfile handling
Bug#: 66355 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: lewk@gentoo.org
Component: Security
URL:  http://www.securityfocus.com/advisories/7263
Summary: sys-devel/gettext: Insecure tempfile handling
Keywords:  
Status Whiteboard: A3 [glsa] lewk
Opened: 2004-10-04 15:00 0000
Description:   Opened: 2004-10-04 15:00 0000 
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.

------- Comment #1 From Luke Macken (RETIRED) 2004-10-04 15:01:52 0000 ------- 
Created an attachment (id=41095) [details]
gettext-0.14.1-tempfile.patch

Patch from Trustix to fix tempfile insecurities.

------- Comment #2 From Luke Macken (RETIRED) 2004-10-04 15:04:34 0000 ------- 
base-system guys,

please verify and apply patch if necessary.  The stable version of gettext, 0.12.1, seems to be vulnerable to this as well.

------- Comment #3 From solar 2004-10-04 21:36:23 0000 ------- 
The newest revision we have in portage right now is gettext-0.12.1-r1 looks
like we might want to consider a newer version all together. 
testing..

------- Comment #4 From solar 2004-10-04 21:41:07 0000 ------- 
Oh even better Mike Frysinger just told me he is already working on this one.

------- Comment #5 From SpanKY 2004-10-05 05:43:07 0000 ------- 
version bumped in cvs; everyone needs loving on this one

------- Comment #6 From Luke Macken (RETIRED) 2004-10-05 06:11:46 0000 ------- 
archs, please mark gettext-0.14.1 stable.

------- Comment #7 From Travis Tilley (RETIRED) 2004-10-05 08:04:17 0000 ------- 
stable on amd64...

------- Comment #8 From Bryan Østergaard (RETIRED) 2004-10-05 08:39:40 0000 ------- 
Stable on alpha.

------- Comment #9 From SpanKY 2004-10-05 15:50:22 0000 ------- 
arm/hppa/ia64/s390 == OUTTA SIGHT

------- Comment #10 From Gustavo Zacarias (RETIRED) 2004-10-05 18:51:55 0000 ------- 
I'm getting failed tests: format-java-1 and format-java-2 with bus errors.
This passed on gettext-0.12.1 so it's somewhat suspicious, did anyone test this on != sparc?

------- Comment #11 From Jochen Maes (RETIRED) 2004-10-06 01:40:29 0000 ------- 
stable on ppc

------- Comment #12 From Jochen Maes (RETIRED) 2004-10-06 04:52:17 0000 ------- 
Since i installed gettext 0.14.1 i get this error, can someone see to this?

/usr/bin/xgettext: error while loading shared libraries: libgettextlib-0.12.1.so: cannot open shared object file: No such file or directory

putted back to ~ppc untill the problem is solved

------- Comment #13 From SpanKY 2004-10-06 05:53:33 0000 ------- 
/usr/bin/xgettext: error while loading shared libraries:
libgettextlib-0.12.1.so: cannot open shared object file: No such file or
directory

the fix is to run revdep-rebuild :P

------- Comment #14 From Gustavo Zacarias (RETIRED) 2004-10-06 06:10:33 0000 ------- 
sparc stable, with conjured patch for the java tests.

------- Comment #15 From Olivier Crete 2004-10-06 07:08:21 0000 ------- 
well, xgettext is part of gettext.. So revdep-rebuild doesnt help much here..
Is it being built against the system installed gettext instead of the version
in its own directory? Btw, it seems to have built correctly here. 
I think 66485 is a dupe... and this one is on x86.. I'm holding it off on
stabilizing on x86 until this is sorted out..

------- Comment #16 From Olivier Crete 2004-10-06 16:48:12 0000 ------- 
*** Bug 66485 has been marked as a duplicate of this bug. ***

------- Comment #17 From SpanKY 2004-10-06 22:08:16 0000 ------- 
masked 0.14.1 ... i'll release a new 0.12.1-r# with the patch

------- Comment #18 From Thierry Carrez (RETIRED) 2004-10-07 01:40:04 0000 ------- 
Back to ebuild status, current ebuild breaks things.
NB to sec team: tempfile attacks are "3" not "4".

------- Comment #19 From SpanKY 2004-10-07 16:59:33 0000 ------- 
ok, i've added gettext-0.12.1-r2 to portage with the patch posted here ... one
of the hunks is not relevant to 0.12.1 since it removes code that was added to
gettext after this release

lets try stablizing again shall we

------- Comment #20 From Luke Macken (RETIRED) 2004-10-07 18:06:52 0000 ------- 
archs, please mark gettext-0.12.1-r2 stable.

------- Comment #21 From Jeremy Huddleston (RETIRED) 2004-10-07 22:02:07 0000 ------- 
stable x86 and amd64

------- Comment #22 From Jeremy Huddleston (RETIRED) 2004-10-07 23:08:46 0000 ------- 
stable on sparc

------- Comment #23 From Jochen Maes (RETIRED) 2004-10-08 02:07:56 0000 ------- 
stable on ppc
but QA isn't ok: The patch is bigger then 20K!!!

------- Comment #24 From Guy Martin 2004-10-08 07:34:03 0000 ------- 
done on hppa.

------- Comment #25 From Bryan Østergaard (RETIRED) 2004-10-09 02:37:17 0000 ------- 
Stable on alpha.

------- Comment #26 From SpanKY 2004-10-09 18:01:57 0000 ------- 
arm/ia64/s390 done

------- Comment #27 From Tom Gall 2004-10-09 19:41:58 0000 ------- 
stable on ppc64, thanks!

------- Comment #28 From Luke Macken (RETIRED) 2004-10-10 15:32:37 0000 ------- 
GLSA 200410-10

mips, please mark stable to benefit from GLSA.

------- Comment #29 From Hardave Riar (RETIRED) 2004-10-16 22:16:51 0000 ------- 
Stable on mips.