Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 66359
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Luke Macken (RETIRED) <lewk@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
kerberos5-1.3.4-tempfile.patch kerberos5-1.3.4-tempfile.patch patch Luke Macken (RETIRED) 2004-10-04 15:30 0000 1.35 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 66359 depends on: Show dependency tree
Bug 66359 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-10-04 15:29 0000 
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.

------- Comment #1 From Luke Macken (RETIRED) 2004-10-04 15:30:52 0000 ------- 
Created an attachment (id=41098) [details]
kerberos5-1.3.4-tempfile.patch

Trustix patch to fix insecure tempfile handling

------- Comment #2 From Luke Macken (RETIRED) 2004-10-04 15:31:55 0000 ------- 
aliz/rphillips,

please verify and apply patch if necessary.

------- Comment #3 From Ryan Phillips (RETIRED) 2004-10-14 15:33:10 0000 ------- 
Reference: http://www.securityfocus.com/advisories/7263

The patch applies cleanly to 1.3.4 and 1.3.5.  1.3.4-r1 needs to be tested on all arch's, but 1.3.5-r1 has been created also and should remain unstable.

------- Comment #4 From Luke Macken (RETIRED) 2004-10-14 17:07:57 0000 ------- 
archs, please mark mit-krb5-1.3.4-r1 stable.

------- Comment #5 From Jochen Maes (RETIRED) 2004-10-15 03:12:40 0000 ------- 
stable on ppc

------- Comment #6 From Bryan Østergaard (RETIRED) 2004-10-15 03:47:18 0000 ------- 
Stable on alpha.

------- Comment #7 From Jason Wever (RETIRED) 2004-10-15 07:30:57 0000 ------- 
Stable on sparc.

------- Comment #8 From Danny van Dyk (RETIRED) 2004-10-16 07:21:41 0000 ------- 
stable on amd64.

------- Comment #9 From Hardave Riar (RETIRED) 2004-10-16 15:04:50 0000 ------- 
Stable on mips.

------- Comment #10 From Akinori Hattori 2004-10-17 05:54:46 0000 ------- 
Stable on ia64.

------- Comment #11 From Tom Gall 2004-10-18 21:22:41 0000 ------- 
stable on ppc64

------- Comment #12 From Thierry Carrez (RETIRED) 2004-10-19 00:47:18 0000 ------- 
GLSA blocked by missing x86 keyword... Could maintainer or x86 arch test and
mark stable ?

------- Comment #13 From Guy Martin 2004-10-20 04:55:42 0000 ------- 
Done on hppa.

------- Comment #14 From Thierry Carrez (RETIRED) 2004-10-25 06:22:46 0000 ------- 
klieber marked stable on x86.
arm and s390 should mark stable to benefit from GLSA.

GLSA 200410-24
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug