66359 – app-crypt/mit-krb5: Insecure tempfile handling

Bug 66359 - app-crypt/mit-krb5: Insecure tempfile handling

Summary: app-crypt/mit-krb5: Insecure tempfile handling

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	Highest minor (vote)
Assignee:	Gentoo Security

URL:	http://www.securityfocus.com/advisori...
Whiteboard:	B3 [stable+ x86] lewk
Keywords:

Depends on:
Blocks:

Reported:	2004-10-04 15:29 UTC by Luke Macken (RETIRED)
Modified:	2011-10-30 22:40 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
kerberos5-1.3.4-tempfile.patch (kerberos5-1.3.4-tempfile.patch,1.35 KB, patch) 2004-10-04 15:30 UTC, Luke Macken (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luke Macken (RETIRED) gentoo-dev

2004-10-04 15:29:54 UTC

Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.

Comment 1 Luke Macken (RETIRED) gentoo-dev

2004-10-04 15:30:52 UTC

Created attachment 41098 [details, diff]
kerberos5-1.3.4-tempfile.patch

Trustix patch to fix insecure tempfile handling

Comment 2 Luke Macken (RETIRED) gentoo-dev

2004-10-04 15:31:55 UTC

aliz/rphillips,

please verify and apply patch if necessary.

Comment 3 Ryan Phillips (RETIRED) gentoo-dev

2004-10-14 15:33:10 UTC

Reference: http://www.securityfocus.com/advisories/7263

The patch applies cleanly to 1.3.4 and 1.3.5.  1.3.4-r1 needs to be tested on all arch's, but 1.3.5-r1 has been created also and should remain unstable.

Comment 4 Luke Macken (RETIRED) gentoo-dev

2004-10-14 17:07:57 UTC

archs, please mark mit-krb5-1.3.4-r1 stable.

Comment 5 Jochen Maes (RETIRED) gentoo-dev

2004-10-15 03:12:40 UTC

stable on ppc

Comment 6 Bryan Østergaard (RETIRED) gentoo-dev

2004-10-15 03:47:18 UTC

Stable on alpha.

Comment 7 Jason Wever (RETIRED) gentoo-dev

2004-10-15 07:30:57 UTC

Stable on sparc.

Comment 8 Danny van Dyk (RETIRED) gentoo-dev

2004-10-16 07:21:41 UTC

stable on amd64.

Comment 9 Hardave Riar (RETIRED) gentoo-dev

2004-10-16 15:04:50 UTC

Stable on mips.

Comment 10 Akinori Hattori gentoo-dev

2004-10-17 05:54:46 UTC

Stable on ia64.

Comment 11 Tom Gall (RETIRED) gentoo-dev

2004-10-18 21:22:41 UTC

stable on ppc64

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2004-10-19 00:47:18 UTC

GLSA blocked by missing x86 keyword... Could maintainer or x86 arch test and mark stable ?

Comment 13 Guy Martin (RETIRED) gentoo-dev

2004-10-20 04:55:42 UTC

Done on hppa.

Comment 14 Thierry Carrez (RETIRED) gentoo-dev

2004-10-25 06:22:46 UTC

klieber marked stable on x86.
arm and s390 should mark stable to benefit from GLSA.

GLSA 200410-24