Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 197306 (CVE-2007-0237) - app-emacs/lookup insecure temp file creation (CVE-2007-0237)
Summary: app-emacs/lookup insecure temp file creation (CVE-2007-0237)
Status: RESOLVED FIXED
Alias: CVE-2007-0237
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-28 16:20 UTC by Ulrich Müller
Modified: 2011-01-18 11:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2007-10-28 16:20:25 UTC 
<app-emacs/lookup-1.4.1 suffer from insecure creation of temporary files:

"Tatsuya Kinoshita discovered that Lookup, a search interface to electronic dictionaries on emacsen, creates a temporary file in an insecure fashion when the ndeb-binary feature is used, which allows a local attacker to craft a symlink attack to overwrite arbitrary files."

See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0237
http://www.debian.org/security/2007/dsa-1269
Comment 1 Ulrich Müller gentoo-dev 2007-10-28 16:31:10 UTC 
Fixed in 1.4.1.
x86, please stabilise.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-30 09:27:40 UTC 
x86 stable
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-30 09:29:42 UTC 
app-emacs/tramp had a similar problem (bug 194713) and was rated B3, too.  GLSA vote now open.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-30 14:02:33 UTC 
I tend to vote YES.
Comment 5 Ulrich Müller gentoo-dev 2007-10-30 21:55:04 UTC 
Vulnerable revisions 1.4 and 1.4-r1 have been removed.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-19 22:01:06 UTC 
yes too, request filed.
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-09 21:41:03 UTC 
GLSA 200712-07