Problem description: Trustix Security Engineers identified that all these packages had one or more script(s) that handled temporary files in an insecure manner. While it is not believed that any of these holes could lead to privilege escalation, it would be possible to trick the scripts to overwrite data writable by the user that invokes the script. These problems can only be exploited by local users, and they would have to wait for someone else, preferably root, to run the vulnerable scripts.
Created attachment 41111 [details, diff] netatalk-1.6.4-tempfile.patch Trustix patch to fix insecure tempfile handling
net-fs herd, please verify and apply patch. thanks!
Today is the 5th day this bug has been open without a comment from net-fs. I'm bumpping this one for them in a few mins.
*netatalk-1.6.4-r1 (09 Oct 2004) 09 Oct 2004; <solar@gentoo.org> +files/netatalk-1.6.4-tempfile.patch, +netatalk-1.6.4-r1.ebuild: security bump. Insecure tempfile handling bug 66370 KEYWORDS="~x86 ~ppc ~sparc ~ppc64" x86, ppc, ppc64 had the 1.6.1 version stable while sparc never had any revision stable. If all the arches can mark 1.6.1-r1 stable then netatalk-1.5.3.1-r1, netatalk-1.6.2, netatalk-1.6.3, netatalk-1.6.4 can and should be removed from the tree.
thanks for the bump solar. archs, please mark netatalk-1.6.4-r1 stable.
done on ppc
Stable on sparc.
stable on ppc64, thanks!
x86 : we're waiting for you to mark netatalk-1.6.4-r1 stable GLSA is blocked by your missing KEYWORD
marked stable on x86
GLSA 200410-25