Comment 1 Tavis Ormandy (RETIRED) 2005-07-05 06:52:47 UTC

confirmed, it looks like you can hook dump_stats to events and that file will be 
created insecurely, looks like upstream is dead (according to elmo.sf.net), so 
we will have to patch or mask. I would suggest mocing that file to ~/.elmo_stats 
or something.

Comment 2 Thierry Carrez (RETIRED) 2005-07-11 05:24:22 UTC

I guess we should provide a patch, unless net-mail wants to drop the package.
Pulling in citizen428 for advice.

Hello,

UPsteam notified but the project seems to be dead.

Regards.

Comment 4 Michael Kohl (RETIRED) 2005-07-16 08:14:03 UTC

Actually I've given up on maintaining Elmo because I don't use it anymore, so if
someone wants to mask it for security reasons, I'm fine with that. 

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2005-07-17 02:41:49 UTC

CC'ing Ticho. 

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2005-07-21 00:47:04 UTC

Ticho any news on this one? (No other volunteered)  

Comment 7 Andrej Kacian (RETIRED) 2005-07-21 01:03:49 UTC

I just have some translations to finish due today and I'll have a look at it.
What's the problem here actually? The fact that a predictably named file is
created in /tmp (i.e. no mkstemp() ) ?

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) 2005-07-21 01:10:11 UTC

Yes. 

Comment 9 Andrej Kacian (RETIRED) 2005-07-21 07:39:40 UTC

elmo-1.3.2-r2 is in portage. Using mkstemp() with template "/tmp/elmostatsXXXXXX".

Comment 10 Tavis Ormandy (RETIRED) 2005-07-21 07:44:14 UTC

Andrej: but wont that make it difficult to find the stats?

not a security problem though, if it's okay with you, it's fine from a security 
standpoint.

Comment 11 Andrej Kacian (RETIRED) 2005-07-21 07:48:49 UTC

Yes, I've thought of that, but if elmo wants to have stats dumped in /tmp, so be
it - this only makes it more secure. :)

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) 2005-07-21 08:18:20 UTC

Changing status to SEMIPUBLIC as this is in Portage now. 
 
Romang is it ok with you to open this one now? 
 
Arch Security Liaisons please test and mark stable. 
 

Hello,

Yes it's OK.

Regards

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) 2005-07-21 08:56:04 UTC

Opening. 

Comment 15 Bryan Østergaard (RETIRED) 2005-07-21 13:58:56 UTC

Stable on alpha.

Comment 16 Thierry Carrez (RETIRED) 2005-07-30 06:43:49 UTC

ticho: could you mark x86 stable ? The fix is rather harmless and alpha already
tested it.

Comment 17 Andrej Kacian (RETIRED) 2005-07-30 15:20:50 UTC

Done. Sorry for the delay.

Comment 18 Andrej Kacian (RETIRED) 2005-07-30 15:23:36 UTC

Eh, removing relevant arch.

Comment 19 Sune Kloppenborg Jeppesen (RETIRED) 2005-07-31 01:08:37 UTC

This one is ready for GLSA decision. I tend to vote NO. 

Comment 20 Thierry Carrez (RETIRED) 2005-07-31 04:31:15 UTC

I vote also NO. Using stats doesn't seem the usual usage of that
nearly-abandoned package. Closing, reopen if you think this one needs a GLSA.

Comment 21 Michael Kohl (RETIRED) 2005-08-09 01:17:54 UTC

(In reply to comment #20)
> I vote also NO. Using stats doesn't seem the usual usage of that
> nearly-abandoned package. 

It *is* an abandoned package. To quote elmo's website: 

"Project is Closed   /2005-01-06/ 
After over half a year not doing anything with Elmo I decided to admit that
nothing is going to change.

I want to thank all the people around the world who have helped and supported me."