Bug 104581

Summary:	app-admin/mon <= 0.99.2 insecure temporary file creation
Product:	Gentoo Security	Reporter:	Romang <zataz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED WONTFIX
Severity:	minor
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [?]
Package list:		Runtime testing required:	---

Description Romang 2005-09-02 04:18:16 UTC

Hello,

In alert.d/test.alert :

echo "`date` $*" >> /tmp/test.alert.log

I don't think this file is used but still in the package.

Regards.

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2005-09-02 04:46:44 UTC

Yes, the documentation doesnt mention it, I assume it's purely for debugging, 
nevertheless it is installed by the ebuild, so moving to Vulnerabilities.

Comment 2 Tavis Ormandy (RETIRED) gentoo-dev

2005-09-02 05:11:29 UTC

Yes, obvious bug.

He doesnt need a temp file to do that, popen returns a stream anyway, suggested 
quick fix attached.

Comment 3 Tavis Ormandy (RETIRED) gentoo-dev

2005-09-02 05:11:59 UTC

oops wrong bug, disregard comment #2

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-09-03 02:42:42 UTC

Let us know when upstream is aware.

Comment 5 Romang 2005-09-05 01:18:02 UTC

Hello,

Email send to trockij@linux.kernel.org

Regards.

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-09-07 07:38:23 UTC

Apparently everyone agrees this one is insignificant. Should we close it ?

Comment 7 Romang 2005-09-13 02:39:54 UTC

Hello,

Yes could be closed ;)

Regards.

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2005-09-13 04:25:56 UTC

Closed.