235805 – app-emulation/xen-tools: audit wrt insecure temp file usage

Bug 235805 - app-emulation/xen-tools: audit wrt insecure temp file usage

Summary: app-emulation/xen-tools: audit wrt insecure temp file usage

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All All

Importance:	High normal
Assignee:	Gentoo Security

URL:	http://bugs.debian.org/496367
Whiteboard:
Keywords:

Duplicates (1):	CVE-2008-4993 (view as bug list)
Depends on:
Blocks:	debian-tempfile
	Show dependency tree

Reported:	2008-08-26 17:26 UTC by Christian Hoffmann (RETIRED)
Modified:	2008-11-08 14:10 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Hoffmann (RETIRED) gentoo-dev

2008-08-26 17:26:31 UTC

See $URL and bug 235770.

Comment 1 Christian Hoffmann (RETIRED) gentoo-dev

2008-08-26 19:48:53 UTC

This bug should have been filed as UNCONFIRMED.
I'm unable to find the offending file in xen-tools and I'm unable to emerge xen itself (sed: -e expression #6, char 930: unterminated `s' command).
Might be related to the fact that I emerged it with --nodeps.

rbu, can you check? You're maintainer anyway :p

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-08-31 18:04:53 UTC

The xen-tools package contains the file ( /tools/ioemu/target-i386-dm/qemu-dm.debug ), and that indeed creates those files insecurely. However, neither the Makefiles not the ebuilds install this file.

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2008-11-08 14:10:31 UTC

*** Bug 246068 has been marked as a duplicate of this bug. ***