Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 66370
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Luke Macken (RETIRED) <lewk@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
netatalk-1.6.4-tempfile.patch netatalk-1.6.4-tempfile.patch patch Luke Macken (RETIRED) 2004-10-04 17:01 0000 557 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 66370 depends on: Show dependency tree
Bug 66370 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-10-04 17:01 0000 
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.

------- Comment #1 From Luke Macken (RETIRED) 2004-10-04 17:01:33 0000 ------- 
Created an attachment (id=41111) [details]
netatalk-1.6.4-tempfile.patch

Trustix patch to fix insecure tempfile handling

------- Comment #2 From Luke Macken (RETIRED) 2004-10-04 17:02:38 0000 ------- 
net-fs herd,

please verify and apply patch. thanks!

------- Comment #3 From solar 2004-10-09 08:18:21 0000 ------- 
Today is the 5th day this bug has been open without a comment from net-fs. 
I'm bumpping this one for them in a few mins.

------- Comment #4 From solar 2004-10-09 08:26:56 0000 ------- 
*netatalk-1.6.4-r1 (09 Oct 2004)

  09 Oct 2004; <solar@gentoo.org> +files/netatalk-1.6.4-tempfile.patch,
  +netatalk-1.6.4-r1.ebuild:
  security bump. Insecure tempfile handling bug 66370

KEYWORDS="~x86 ~ppc ~sparc ~ppc64"

x86, ppc, ppc64 had the 1.6.1 version stable while sparc never had any 
revision stable. If all the arches can mark 1.6.1-r1 stable then
netatalk-1.5.3.1-r1, netatalk-1.6.2, netatalk-1.6.3, netatalk-1.6.4 can
and should be removed from the tree.

------- Comment #5 From Luke Macken (RETIRED) 2004-10-09 10:51:35 0000 ------- 
thanks for the bump solar.

archs, please mark netatalk-1.6.4-r1 stable.

------- Comment #6 From Pieter Van den Abeele 2004-10-09 11:48:29 0000 ------- 
done on ppc

------- Comment #7 From Jason Wever (RETIRED) 2004-10-09 14:20:47 0000 ------- 
Stable on sparc.

------- Comment #8 From Tom Gall 2004-10-09 20:04:25 0000 ------- 
stable on ppc64, thanks!

------- Comment #9 From Thierry Carrez (RETIRED) 2004-10-18 10:27:16 0000 ------- 
x86 : we're waiting for you to mark netatalk-1.6.4-r1 stable
GLSA is blocked by your missing KEYWORD

------- Comment #10 From Kurt Lieber 2004-10-25 05:04:48 0000 ------- 
marked stable on x86

------- Comment #11 From Luke Macken (RETIRED) 2004-10-25 09:11:58 0000 ------- 
GLSA 200410-25
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug