Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 79725
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sascha Silbe <sascha-gentoo-bugzilla@silbe.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 79725 depends on: Show dependency tree
Bug 79725 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-01-27 07:18 0000 
Debian Security Advisory

DSA-661-1 f2c -- insecure temporary files

Date Reported:
    27 Jan 2005
Affected Packages:
    f2c
Vulnerable:
    Yes
Security database references:
    In Mitre's CVE dictionary: CAN-2005-0017, CAN-2005-0018.
More information:

    Javier Fernndez-Sanguino Pea from the Debian Security Audit project discovered that f2c and fc, which are both part of the f2c
    package, a fortran 77 to C/C++ translator, open temporary files insecurely and are hence vulnerable to a symlink attack. The Common
    Vulnerabilities and Exposures project identifies the following vulnerabilities:

      - CAN-2005-0017

        Multiple insecure temporary files in the f2c translator.

      - CAN-2005-0018

        Two insecure temporary files in the f2 shell script.

    For the stable distribution (woody) these problems have been fixed in version 20010821-3.1

    For the unstable distribution (sid) these problems will be fixed soon.

    We recommend that you upgrade your f2c package.



Reproducible: Always
Steps to Reproduce:

------- Comment #1 From Thierry Carrez (RETIRED) 2005-01-27 07:22:05 0000 ------- 
Danny, please commit the ebuild to portage.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-01-27 07:23:28 0000 ------- 
*** Bug 77570 has been marked as a duplicate of this bug. ***

------- Comment #3 From Danny van Dyk (RETIRED) 2005-01-27 08:24:21 0000 ------- 
Ebuild commited and already marked stable on amd64, x86 and ppc.

------- Comment #4 From Thierry Carrez (RETIRED) 2005-01-27 08:35:56 0000 ------- 
sparc/Ferris: please confirm now that the ebuild is incvs
ppc64: please test and mark stable

------- Comment #5 From Ferris McCormick 2005-01-27 08:50:11 0000 ------- 
Stable for sparc.  Tests OK.

------- Comment #6 From Thierry Carrez (RETIRED) 2005-01-28 02:31:15 0000 ------- 
GLSA vote... I don't see root using f2c that often, so I've mixed feelings.

------- Comment #7 From Sascha Silbe 2005-01-28 03:29:10 0000 ------- 
I remember some package using it for compiling its Fortran sources. Probably
was one of the dependancies of sci-geosciences/grass.

------- Comment #8 From Sune Kloppenborg Jeppesen 2005-01-28 06:40:31 0000 ------- 
I vote for no GLSA on this one. Last time I checked BASC there were no installs
at all.

------- Comment #9 From Sascha Silbe 2005-01-28 06:51:53 0000 ------- 
What is BASC? How do you know nobody has installed f2c?

root@caravan:~# grep f2c /var/log/emerge.log |grep completed
1100311820:  ::: completed emerge (1 of 8) dev-libs/libf2c-20021004-r1 to /
1100311875:  ::: completed emerge (2 of 8) dev-lang/f2c-20030320 to /
root@caravan:~# 

I've recently switched over to gcc's Fortran compiler, but how can you be sure everybody else has?

------- Comment #10 From Philippe Trottier (RETIRED) 2005-01-28 07:20:05 0000 ------- 
Many scientist do use f2c even today because of very old and well working code
from the 60's !!!

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-01-28 07:22:18 0000 ------- 
BASC aka http://www.gentoo-stats.org/

Actually some systems use it now. Security please cast your vote.

------- Comment #12 From Donnie Berkholz 2005-01-28 08:05:42 0000 ------- 
f2c is commonly used by root when compiling some fortran packages in app-sci
that require it (e.g., ghemical) or optionally using it for fortran source
(anything in fortran, basically, can use f2c + cc instead of g77 or whatever
else).

Speaking of, is this vulnerability also present in libf2c?

------- Comment #13 From Thierry Carrez (RETIRED) 2005-01-28 08:42:07 0000 ------- 
I tend to vote YES on tmpfile vuln in packages that must/makesense being used
by root, and ebuilds may even automate the task, so I vote YES.

------- Comment #14 From Danny van Dyk (RETIRED) 2005-01-28 08:52:20 0000 ------- 
I vote for a GLSA, too.

------- Comment #15 From Sune Kloppenborg Jeppesen 2005-01-28 08:54:55 0000 ------- 
OK, good arguments.

------- Comment #16 From Sune Kloppenborg Jeppesen 2005-01-28 09:05:51 0000 ------- 
wrt libf2c it does not seem to include f2c and fc. However I'm no f2c expert.

------- Comment #17 From Thierry Carrez (RETIRED) 2005-01-29 01:32:00 0000 ------- 
This still needs ppc64 stable marking.

------- Comment #18 From Markus Rothe 2005-01-29 02:07:49 0000 ------- 
sorry, bug #79884 avoids me from marking stable. new f2c itself seems to be
stable.  Markus

------- Comment #19 From Thierry Carrez (RETIRED) 2005-01-29 02:57:49 0000 ------- 
We need the keyword in.
Danny: could you put "ppc64" in KEYWORDS for corsair ? Would do it but I still need to get commit access :)

------- Comment #20 From Markus Rothe 2005-01-29 03:17:05 0000 ------- 
nigoro marked stable for me.

so now it is stable on ppc64

------- Comment #21 From Thierry Carrez (RETIRED) 2005-01-30 10:54:43 0000 ------- 
GLSA 200501-43
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug