Summary: | app-admin/apachetop <= 0.12.5 insecure tmp file creation (CAN-2005-2660) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Romang <zataz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | web-apps | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | C3 [noglsa] jaervosz | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Romang
2005-09-01 05:48:33 UTC
confirmed, moving to vulnerabilities. Eric: tell us when upstream is warned. Hello, I have send the adviso to upstream. Chris Elsworth <chris@shagged.org> Regards. Hello, No upstream response. Send to : vendor-sec@lst.de Disclosure the : 30/09/2005 Regards Spanky/solar/tigger anybody wants to patch? you could just redefine DEBUG_OUPUT to "atop.debug", and perhaps turn off debug by default. Hello, CVE : CAN-2005-2660 Steve Kemp for Debian is currently working on a patch. Maybe you should have contact with him to got the same patch. Planing release date : 30/09/2005 Regards. Waiting for a patch and to be closer to the release date I asked Steve Kemp for his patch. Created attachment 69342 [details, diff]
apachetop_CAN-2005-2660.patch
Patch from Steve Kemp (Debian)
Pulling rl03 in as web'apps security usual suspect. We'll need to commit a patched version on 20050930 (not before), this is just a warning so that you can prepare yourself. /me prepares self Now public, rl03: feel free to bump now bumped Archs please test and mark 0.12.5-r1 stable x86 done Stable on ppc. Stable on amd64 Stable on SPARC. Ready for GLSA vote My vote all depends on whether this is enabled by default or not... Tavis/Eric, could you enlighten us ? src/apachetop.cc: cf.debug = true; src/apachetop.cc: if (cf.debug && (d = fopen(DEBUG_OUTPUT, "a"))) src/apachetop.h:#define DEBUG_OUTPUT "/tmp/atop.debug" Apparently this is enabled by default (?) so I vote YES. Renat can you confirm that it is enabled per default? vote YES, although it would require the adns USE flag to be set to be much chance of exploiting, so not very likely. If it requires USE=adns, I'm not sure it's needed... Never heard about adns, I tend to vote NO. Reverting to NO and closing. USE=adns just sounds a little unlikely to me. Feel free to reopen if you disagree though. |