Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 103568

Summary: sys-apps/lm_sensors Insecure temp file creation
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: henrik
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0759.html
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
lm-sensors.diff none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-24 02:25:47 UTC
Javier Fern
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-24 02:25:47 UTC
Javier Fernández-Sanguino Peña reports ath the pwmconfig script creates the 
temp file /tmp/fancontrol insecurely.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-08-24 07:20:35 UTC
Created attachment 66752 [details, diff]
lm-sensors.diff

Patch from Ubuntu.
Comment 3 Henrik Brix Andersen 2005-08-24 07:31:23 UTC
Has this patch been submitted upstream? It's not present in current CVS HEAD.
Comment 4 Henrik Brix Andersen 2005-08-24 07:41:01 UTC
Oh, sorry - it _is_ present is CVS HEAD.

I'll prepare a new ebuild.
Comment 5 Henrik Brix Andersen 2005-08-24 07:48:13 UTC
Fixed in sys-apps/lm_sensors-2.9.1-r1.

I'll mark it stable on x86 within the next 24 hours if no additional bugs are
reported.
Comment 6 Henrik Brix Andersen 2005-08-24 15:34:53 UTC
Stable on x86.
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2005-08-24 16:40:00 UTC
amd64 done
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-25 11:26:28 UTC
Stable on ppc.
Comment 9 Henrik Brix Andersen 2005-08-26 03:25:30 UTC
Ready for GLSA?
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-26 03:34:11 UTC
Thx for the reminder Brix. 
 
Ready for GLSA vote, I tend to vote NO. 
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-08-26 05:53:54 UTC
I tend to vote YES, as this is typically run by root.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-26 07:19:34 UTC
Forgot about that reversing my vote to YES. 
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-27 02:33:22 UTC
as it's run as root, i vote yes.
Comment 14 Tavis Ormandy (RETIRED) gentoo-dev 2005-08-27 02:36:33 UTC
agree with Koon, vote YES
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-08-30 07:58:15 UTC
GLSA 200508-19