159543 – app-dicts/stardict: Insecure usage of file in /tmp.

Bug 159543 - app-dicts/stardict: Insecure usage of file in /tmp.

Summary: app-dicts/stardict: Insecure usage of file in /tmp.

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B3? [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2006-12-31 01:54 UTC by Vic Fryzel (shellsage) (RETIRED)
Modified:	2007-04-02 22:03 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vic Fryzel (shellsage) (RETIRED) gentoo-dev

2006-12-31 01:54:16 UTC

The file stardict-config.sh make insecure use of the file "/tmp/fonts.dir" without first checking to see if that file is a symlink.  This could allow for the overwriting of arbitrary files on the filesystem when installing stardict.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-01-06 12:32:25 UTC

app-dicts please advise.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-25 10:43:57 UTC

app-dicts please advise.

Comment 3 Kevin F. Quinn (RETIRED) gentoo-dev

2007-03-26 06:50:18 UTC

I haven't seen anything from liquidx for a while, so I'll stick my nose in.

It seems the script is unused, legacy from version 1.x which are no longer in the tree - so I've just removed it.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-26 08:10:37 UTC

Thx Kevin.

This one is ready for GLSA decision. I vote NO as the script itself seems unused/uninstalled. Please correct me if I'm wrong.

Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-04-02 22:03:50 UTC

When it's not an everyday usage (contrary to an installation script for example), i vote no. Closing, feel free to reopen if you disagree.