104581 – app-admin/mon <= 0.99.2 insecure temporary file creation

Bug 104581 - app-admin/mon <= 0.99.2 insecure temporary file creation

Summary: app-admin/mon <= 0.99.2 insecure temporary file creation

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [?]
Keywords:

Depends on:
Blocks:

Reported:	2005-09-02 04:18 UTC by Romang
Modified:	2005-09-13 04:25 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Romang 2005-09-02 04:18:16 UTC

Hello,

In alert.d/test.alert :

echo "`date` $*" >> /tmp/test.alert.log

I don't think this file is used but still in the package.

Regards.

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2005-09-02 04:46:44 UTC

Yes, the documentation doesnt mention it, I assume it's purely for debugging, 
nevertheless it is installed by the ebuild, so moving to Vulnerabilities.

Comment 2 Tavis Ormandy (RETIRED) gentoo-dev

2005-09-02 05:11:29 UTC

Yes, obvious bug.

He doesnt need a temp file to do that, popen returns a stream anyway, suggested 
quick fix attached.

Comment 3 Tavis Ormandy (RETIRED) gentoo-dev

2005-09-02 05:11:59 UTC

oops wrong bug, disregard comment #2

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-09-03 02:42:42 UTC

Let us know when upstream is aware.

Comment 5 Romang 2005-09-05 01:18:02 UTC

Hello,

Email send to trockij@linux.kernel.org

Regards.

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-09-07 07:38:23 UTC

Apparently everyone agrees this one is insignificant. Should we close it ?

Comment 7 Romang 2005-09-13 02:39:54 UTC

Hello,

Yes could be closed ;)

Regards.

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2005-09-13 04:25:56 UTC

Closed.