Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 66370 - net-fs/netatalk: Insecure tempfile handling
Summary: net-fs/netatalk: Insecure tempfile handling
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest minor (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/advisori...
Whiteboard: B3 [stable+ x86] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-04 17:01 UTC by Luke Macken (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
netatalk-1.6.4-tempfile.patch (netatalk-1.6.4-tempfile.patch,557 bytes, patch)
2004-10-04 17:01 UTC, Luke Macken (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-10-04 17:01:07 UTC
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-04 17:01:33 UTC
Created attachment 41111 [details, diff]
netatalk-1.6.4-tempfile.patch

Trustix patch to fix insecure tempfile handling
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-04 17:02:38 UTC
net-fs herd,

please verify and apply patch. thanks!
Comment 3 solar (RETIRED) gentoo-dev 2004-10-09 08:18:21 UTC
Today is the 5th day this bug has been open without a comment from net-fs. 
I'm bumpping this one for them in a few mins.
Comment 4 solar (RETIRED) gentoo-dev 2004-10-09 08:26:56 UTC
*netatalk-1.6.4-r1 (09 Oct 2004)

  09 Oct 2004; <solar@gentoo.org> +files/netatalk-1.6.4-tempfile.patch,
  +netatalk-1.6.4-r1.ebuild:
  security bump. Insecure tempfile handling bug 66370

KEYWORDS="~x86 ~ppc ~sparc ~ppc64"

x86, ppc, ppc64 had the 1.6.1 version stable while sparc never had any 
revision stable. If all the arches can mark 1.6.1-r1 stable then
netatalk-1.5.3.1-r1, netatalk-1.6.2, netatalk-1.6.3, netatalk-1.6.4 can
and should be removed from the tree.
Comment 5 Luke Macken (RETIRED) gentoo-dev 2004-10-09 10:51:35 UTC
thanks for the bump solar.

archs, please mark netatalk-1.6.4-r1 stable.
Comment 6 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-10-09 11:48:29 UTC
done on ppc
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-10-09 14:20:47 UTC
Stable on sparc.
Comment 8 Tom Gall (RETIRED) gentoo-dev 2004-10-09 20:04:25 UTC
stable on ppc64, thanks!
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-10-18 10:27:16 UTC
x86 : we're waiting for you to mark netatalk-1.6.4-r1 stable
GLSA is blocked by your missing KEYWORD
Comment 10 Kurt Lieber (RETIRED) gentoo-dev 2004-10-25 05:04:48 UTC
marked stable on x86
Comment 11 Luke Macken (RETIRED) gentoo-dev 2004-10-25 09:11:58 UTC
GLSA 200410-25