Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Cleaning old security@go mails I found this one we overlooked : ------------------------------------------------------- Date: Fri, 11 Jun 2004 17:07:48 +0100 From: Philip Kendall <pak21@srcf.ucam.org> To: security@gentoo.org Cc: lenin@users.sourceforge.net Subject: Security problems with Glukalka ebuild ------------------------------------------------------- Hi. Firstly, I apologise for the fact that I've been sitting on this one for far too long. I hoped the author (CC'd here) would at least reply to some of my messages, but I haven't received any response whatsoever, despite various messages over the past year :-( There are a couple of security problems with Glukalka 0.9 as packaged by Gentoo, both of which could be used to delete arbitrary files owned by the user running Glukalka if they open a specific file type. * Use of predictable temporary filenames This occurs when opening a .scl file (an image of a floppy disk). We then have (modified.c:18893): filenameN=Scl2Trd(filename, "/tmp/SCL_DiskA_Image.trd"); (and later calls with /tmp/SCL_DiskB_Image.trd etc) If filename is '/path/foo.scl', and '/path/foo.trd' either already exists or can't be created, Scl2Trd__Convert will then unlink and reopen /tmp/SCL_DiskA_Image.trd with the obvious problems that brings. * Race conditions The whole floppy disk image handling code is jam packed with race conditions, mostly to do with closing and then reopening the same filename without checking it exists. I've contacted you as Gentoo is the only distribution I can see who packages Glukalka; feel free to forward this information to anyone else who you think to be relevant. I also apologise as I don't have fixes for either of these problems, although I'll point out that they are fixed in Fuse (also packaged by Gentoo). Cheers, Phil ---------------------------------------------------------------
Upstream contacted.
No answer for upstream, looks like a good mask candidate. It's no-herd, so noone can be called to save it.
klieber/solar : please mask this package (+ issue mail to -dev ?)
masked. going to skip the email to dev as this is a fairly obscure app.
Thx, no mask GLSA as this is B3. Switched to enhancement state waiting for final resolution (fix or remove from tree)
Any ETA on a fix for this? Otherwise the package should be removed.
Bug was filed upstream by lewk in december without any reaction so far it seems. <http://sourceforge.net/tracker/index.php?func=detail&aid=1078428&group_id=33040&atid=406984>
Seems like a good a time as any to follow up on the toremove.
Package removed.
