Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 236205 - <games-server/crossfire-server-1.11.0: Insecure temporary file creation
Summary: <games-server/crossfire-server-1.11.0: Insecure temporary file creation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-08-30 13:15 UTC by Robert Buchholz (RETIRED)
Modified: 2012-09-22 19:30 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-30 13:15:41 UTC 
The crossfire-maps ship a file that our ebuild installs as 
/usr/share/games/crossfire/maps/Info/combine.pl

The file creates files insecurely. It is my understanding that it is not needed by the server (debian does not install the file anymore), but we can also get proper tempfile handling into the script with the help from upstream.

This does not affect 1.9.0 (our stable).
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 17:09:29 UTC 
Games: please comment.
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2010-01-30 08:11:33 UTC 
So, a random, poorly-coded perl script that is installed in a directory not in any path, and never called by any installed binary is grounds for a security bug?  Seems pretty unnecessary.

I changed the package to not install that script anymore but this doesn't qualify as a security bug to me.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-22 19:30:37 UTC 
	  30 Jan 2010; Michael Sterrett <mr_bones_@gentoo.org>
	  crossfire-server-1.11.0.ebuild:
	  Skip install of combine.pl (bug #236205)

Closing as noglsa - vulnerable versions were ~arch only.