Summary: | app-portage/mirrorselect: Insecure tempfile creation | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Ervin Németh <ervin.nemeth+org.gentoo.bugs> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | genone, johnm, tools-portage | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | A3 [glsa] lewk | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Ervin Németh
2004-12-06 04:03:29 UTC
Created attachment 45372 [details, diff]
mirrorselect fix
Here is a small patch, containing the fix, and various enhancements:
* SECURITY FIX: when using the "-b" switch, split is creating files in the
temporary directory in an unsecure manner
* SECURITY FIX: make the script exit if "mktemp" fails
* new switch: "-TX" to allow the user to set the network timeout for wget
* clean up temporary files/directories even if mirrorselect is interrupted by
the user
* fixed progress percentage with "-b" switch
* the logic is rewritten how /etc/make.conf is updated: don't touch it until
everything seems to be o.k.
Re-assigning to security. tools-portage, please verify. thanks Ervin. 0.89 is in portage for your pleasure. GLSA drafted. Security, please review. GLSA 200412-05 Thanks Ervin! Keep up the good work. |