Hello, src/hooks/gaduhook.cc 909 fname = (getenv("TMPDIR") ? getenv("TMPDIR") : "/tmp"); 910 fname += "/gg.token." + i2str(getpid()); 912 ofstream bf(fname.c_str()); 913 914 if(bf.is_open()) { 915 bf.write(h->body, h->body_size); 916 bf.close(); 917 } else { 918 return ""; 919 } Maybe could permit overwrite off arbitrary files with the right of the user using centericq. Symlink attack. Regards.
Auditors please verify.
yep, clear cut.
Hello, I contact upstream. Regards.
Romang any news on this one?
Pulling in maintainers. This is not public yet, but since upstream doesn't seem to answer we might have to patch it ourselves...
Hello, Reported on vendor-sec@lst.de Regards.
We'll need a patch for that one (or mask/drop it ?). No upstream and no answer from downstream maintainers, ad will be public by tomorrow.
Pulling in net-im herd. Should we design a patch for it ? Drop it ?
I will talk to Konst (the author) now, who coincidentally is a friend of mine ;) Sorry for the delay. We could also just disable Gadu-Gadu in our ebuild btw., as it seems to be GG specific only.
thekonst: 08.07 11:40 I am very busy at the moment 08.07 11:41 I would appreciate if someone sends me a patch so, any volunteers? :) if not, I will just hard-disable GG in our ebuild with the corresponding configure parameter. objections? ideas?
Created attachment 63690 [details, diff] centericq-CAN-2005-1914.diff Patch from Martin Schulze for Debian DSA 754-1
Wolfram: Please patch using the Debian patch (if it applies somewhat OK to our version). Feel free to forward it upstream if they don't already have it.
http://article.gmane.org/gmane.network.centericq/3582 We already have updated CVS sources. I have to check them out and make a patch...
done -- =net-im/centericq-4.20.0-r2 is now the only remaining version in portage and it contains the fix from the CenterICQ CVS repo.
Thx Wolfram, please don't close security bugs. Security this one is ready for GLSA vote. I tend to vote NO.
I agree on no. This is on a specific config (GG) + typically runs as user, and on mono-user envs. Reopen if you disagree.
whoops, sorry for closing the bug... it felt like I was the assignee, but I wasn't =)
