The file net-im/ejabberd/files/self-cert.sh distributed with the ejabberd ebuild makes insecure use of files in /tmp. If the file /tmp/privkey.pem were to exist as a symlink prior to a cert being generated (ejabberd being installed), the overwriting of arbitrary files on the filesystem would be possible. Please first create this file with either the tempfile or mktemp commands.
net-im please advise.
see http://secunia.com/advisories/24075/ net-im or humpback, please advise : 1.1.3 fixes this unspecified issue, + patch needed for the /tmp thing. Thanks in advance
*** Bug 168597 has been marked as a duplicate of this bug. ***
I am incorrectly listed as maintainer.
bumped to version 1.1.3, x86 please test and stable. there are problems with the init script, but these seem to be known (as described in http://gentoo-wiki.com/Ejabberd), cant be bothered to fix them during a security bump. The /tmp stuff should be fixed, as we use a new version of the script which does not use temporary stuff. the unknown vulnerability looks like an SQL injection.
(In reply to comment #5) > there are problems with the init script, but these seem to be known (as > described in http://gentoo-wiki.com/Ejabberd), cant be bothered to fix them > during a security bump. The path to the beam binary was hardcoded to a moving target. Every erlang version changes the path name due to version bumps, but some time ago I added a symlink to erlang's ebuild to have it in /usr/bin/. Initscript has been adjusted and also a useless dodoc entry removed. x86 stable.
glsa vote ... given that only x86 was stable and that i expect only very few installations, i tend to say no here
kinda tending to vote yes
ejabberd? I would say it's probably used on a few boxes... But i would say "no" too because of the lower impact + of the low number of installations. The temp issue can only been triggered during emerge. The second issue is "unspecified".
I agree with Falco and Dercorny, it's a marginal software, so I tend to vote no.
closing without glsa then
*** Bug 182159 has been marked as a duplicate of this bug. ***