Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 54890
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Aron Griffis (RETIRED) <agriffis@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 54890 depends on: Show dependency tree
Bug 54890 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-06-23 07:39 0000 
Bug 22483 describes a security issue with tempfile creation in znew and gzexe. 
That problem was theoretically fixed and a glsa sent out.

However the patch doesn't check the exit status of the tempfile command.  If
tempfile should fail, then it's possible for a rogue command to be executed a
few lines later in the script.

I've fixed the patch and bumped the stable rev to 1.3.3-r3 to carry out the
change.  At this point we just need a GLSA.  Somebody from security mind
handling that?

------- Comment #1 From Sune Kloppenborg Jeppesen 2004-06-23 11:18:17 0000 ------- 
GLSA drafted

------- Comment #2 From Sune Kloppenborg Jeppesen 2004-06-24 06:52:52 0000 ------- 
GLSA updated with unaffected version -r4 and better description. Security
please review.

Note: Changelog is not updated with new -r4

------- Comment #3 From Kurt Lieber 2004-06-24 08:14:46 0000 ------- 
glsa 200406-18

------- Comment #4 From Aron Griffis (RETIRED) 2004-06-24 12:16:43 0000 ------- 
> Note: Changelog is not updated with new -r4

That was a ChangeLog error: it said -r3 instead of -r4.  I just fixed it now.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug