From ${URL} : Please assign a CVE number for the ace build process using predictable filenames in a world-writeable directory (DAC violation). Upstream: http://www.dre.vanderbilt.edu/~schmidt/ACE.html In bin/generate_doxygen.pl line 177 it says: > my $output = "/tmp/".$i.".".$$.".doxygen"; This path is later opened for writing. For context, see: http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/generate_doxygen.pl/#L177 Initial disclosure: http://bugs.debian.org/760709 (end of CVE request) A quick "grep -r /tmp $ace_source" indicates more occasions that may be worth researching. Most of the results reside within examples or documentation though. An interesting find is bin/g++-dep line 63: > TMP=/tmp/g++dep$$ This path is also used for writing. The context can be found at: http://sources.debian.net/src/ace/6.2.7%2Bdfsg-1/bin/g%2B%2Bdep/#L63 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This was fixed via https://github.com/DOCGroup/ACE_TAO/commit/381c1523171a57e7dec6bdfba8696c3c0c75b5ce $ git tag --contains 381c1523171a57e7dec6bdfba8696c3c0c75b5ce | sort ACE+TAO-6_3_4 ACE+TAO-6_4_0 ACE+TAO-6_4_1 ACE+TAO+CIAO-6_3_1 ACE+TAO+CIAO-6_3_2 ACE+TAO+CIAO-6_3_3 Latest_Beta Latest_Micro Latest_Minor @ Maintainer(s): Please bump at least to =dev-libs/ace-6.3.4 (but v6.4.1 is recommended).
@maintainers ping, please bump to newer version. Michael Boyle Gentoo Security Padawan
# Aaron Bauman <bman@gentoo.org> (13 Apr 2019) # Unmaintained in Gentoo and outstanding vulnerability # Masked for removal in 30 days. Bug #522578 dev-libs/ace # rdeps dev-cpp/xsd net-proxy/bfilter
dev-libs/ace is only an optional dependency of dev-cpp/xsd, isn't it? I have xsd installed as a dependency for a package in an overlay, but not ace. If ace is the only source of problems, then just removing IUSE=ace from xsd could be an option.
(In reply to Doppler from comment #4) > dev-libs/ace is only an optional dependency of dev-cpp/xsd, isn't it? I have > xsd installed as a dependency for a package in an overlay, but not ace. If > ace is the only source of problems, then just removing IUSE=ace from xsd > could be an option. fixed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=775c581b7416b537c63d0d07e11957a58d50bac0 commit 775c581b7416b537c63d0d07e11957a58d50bac0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-05-15 20:43:15 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-05-15 20:43:39 +0000 dev-libs/ace: Remove last-rited pkg Bug: https://bugs.gentoo.org/522578 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-libs/ace/Manifest | 6 --- dev-libs/ace/ace-5.7.2.ebuild | 86 ------------------------------------------ dev-libs/ace/ace-5.8.3.ebuild | 87 ------------------------------------------- dev-libs/ace/metadata.xml | 11 ------ profiles/package.mask | 5 --- 5 files changed, 195 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=373733c91e372cba08106b7cbe7f00c068477255 commit 373733c91e372cba08106b7cbe7f00c068477255 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-05-15 20:42:21 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-05-15 20:42:55 +0000 net-proxy/bfilter: Remove last-rited pkg Bug: https://bugs.gentoo.org/522578 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-proxy/bfilter/Manifest | 1 - net-proxy/bfilter/bfilter-1.1.4-r4.ebuild | 84 ---------------------- .../files/bfilter-1.1.4-external-boost.patch | 63 ---------------- .../bfilter/files/bfilter-1.1.4-glib-2.32.patch | 39 ---------- .../bfilter-1.1.4-gtkmm-X11-underlinking.patch | 12 ---- net-proxy/bfilter/files/bfilter.conf | 4 -- net-proxy/bfilter/files/bfilter.init | 35 --------- net-proxy/bfilter/files/forwarding-proxy.xml | 19 ----- net-proxy/bfilter/files/forwarding.xml | 5 -- net-proxy/bfilter/metadata.xml | 21 ------ profiles/package.mask | 1 - 11 files changed, 284 deletions(-)