Bug 66357 - app-text/ghostscript: Insecure tempfile handling
|
Bug#:
66357
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: lewk@gentoo.org
|
|
Component: Security
|
|
|
URL:
http://www.securityfocus.com/advisories/7263
|
|
Summary: app-text/ghostscript: Insecure tempfile handling
|
|
Keywords:
|
|
Status Whiteboard: A3 [glsa] lewk
|
|
Opened: 2004-10-04 15:08 0000
|
Problem description:
Trustix Security Engineers identified that all these packages had one or
more script(s) that handled temporary files in an insecure manner. While
it is not believed that any of these holes could lead to privilege
escalation, it would be possible to trick the scripts to overwrite data
writable by the user that invokes the script.
These problems can only be exploited by local users, and they would have to
wait for someone else, preferably root, to run the vulnerable scripts.
printing herd,
please verify and apply patch if necessary.
added ghostscript-7.07.1-r7 to portage, but there is still ghostscript-7.05.6
which is required for ppc, see bug #49227, it may be vulnerable as well, but
the patch does not apply there
archs, please mark ghostscript-7.07.1-r7 stable.
We'll need a patch that would apply to a ppc-compatible version of ghostscript
(7.05.06) to fix it for ppc as well. Back to ebuild status to solve the ppc
case.
stable on ppc64, thanks!
(The comments about ppc leave me somewhat stunned... if the 7.07.1-r7 version works just fine with ppc64, so should ppc, least so I owuld think unless there is some bug I just haven't hit yet waiting out there in the weeds for some poor unsuspecting ppc64 user)
printing herd,
please apply tempfile patch to 7.05.6 for ppc.
This can't be at GLSA status : still waiting for printing herd to apply
tempfile patch to a ppc-supported version... like 7.05.6-r2.
added gs-7.05.6-r2 for ppc
ppc, please mark ghostscript-7.05.6-r2 stable.
