CVE-2009-1297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1297): iscsi_discovery in open-iscsi in SUSE openSUSE 10.3 through 11.1 and SUSE Linux Enterprise (SLE) 10 SP2 and 11 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file that has a predictable name.
More information: https://bugzilla.redhat.com/show_bug.cgi?id=523936 Patch used by Debian is linked in there. Gentoo ships the iscsi_discovery script when the utils USE flag is enabled. Maintainers, please prepare a fixed ebuild, thanks.
Oh, ~arch only, adjusting severity.
I've updated the ebuild for 2.0.871 in http://bugs.gentoo.org/show_bug.cgi?id=278589 As no one really maintains open-iscsi I'm currently proxy-maintaining it. I've changed several things in 2.0.871, and honestly really don't want to see 2.0.870.3 in portage anymore, I can't even build/test it on my workstation because the kernel is too new (that was an issue with the old ebuild). The last bump & QA was done by Tobias, maybe he could bump again? ;)
Created attachment 208374 [details, diff] CVE-2009-1297.patch
Created attachment 208375 [details] open-iscsi-2.0.870.3-r1.ebuild
Sorry for bugspam! =)
Argh, again.
(In reply to comment #3) > The last bump & QA was done by Tobias, maybe he could bump again? ;) Proxy commit in CVS. Get your quiz done plz ;) No stable version, closing this one therefore.