Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 66370

Summary: net-fs/netatalk: Insecure tempfile handling
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-fs, x86
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.securityfocus.com/advisories/7263
Whiteboard: B3 [stable+ x86] lewk
Package list:
Runtime testing required: ---
Attachments:
Description Flags
netatalk-1.6.4-tempfile.patch none

Description Luke Macken (RETIRED) gentoo-dev 2004-10-04 17:01:07 UTC 
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-04 17:01:33 UTC 
Created attachment 41111 [details, diff]
netatalk-1.6.4-tempfile.patch

Trustix patch to fix insecure tempfile handling
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-04 17:02:38 UTC 
net-fs herd,

please verify and apply patch. thanks!
Comment 3 solar (RETIRED) gentoo-dev 2004-10-09 08:18:21 UTC 
Today is the 5th day this bug has been open without a comment from net-fs. 
I'm bumpping this one for them in a few mins.
Comment 4 solar (RETIRED) gentoo-dev 2004-10-09 08:26:56 UTC 
*netatalk-1.6.4-r1 (09 Oct 2004)

  09 Oct 2004; <solar@gentoo.org> +files/netatalk-1.6.4-tempfile.patch,
  +netatalk-1.6.4-r1.ebuild:
  security bump. Insecure tempfile handling bug 66370

KEYWORDS="~x86 ~ppc ~sparc ~ppc64"

x86, ppc, ppc64 had the 1.6.1 version stable while sparc never had any 
revision stable. If all the arches can mark 1.6.1-r1 stable then
netatalk-1.5.3.1-r1, netatalk-1.6.2, netatalk-1.6.3, netatalk-1.6.4 can
and should be removed from the tree.
Comment 5 Luke Macken (RETIRED) gentoo-dev 2004-10-09 10:51:35 UTC 
thanks for the bump solar.

archs, please mark netatalk-1.6.4-r1 stable.
Comment 6 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-10-09 11:48:29 UTC 
done on ppc
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-10-09 14:20:47 UTC 
Stable on sparc.
Comment 8 Tom Gall (RETIRED) gentoo-dev 2004-10-09 20:04:25 UTC 
stable on ppc64, thanks!
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-10-18 10:27:16 UTC 
x86 : we're waiting for you to mark netatalk-1.6.4-r1 stable
GLSA is blocked by your missing KEYWORD
Comment 10 Kurt Lieber (RETIRED) gentoo-dev 2004-10-25 05:04:48 UTC 
marked stable on x86
Comment 11 Luke Macken (RETIRED) gentoo-dev 2004-10-25 09:11:58 UTC 
GLSA 200410-25