Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 107344

Summary: media-video/mpeg-tools is full of insecure tempfile usage
Product: Gentoo Security Reporter: SpanKY <vapier>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description SpanKY gentoo-dev 2005-09-26 17:37:29 UTC
i was cleaning up netpbm when i noticed that the mpeg-tools source code has a
ton of /tmp/ hardcodes

running `make test` for example will create these files everytime:
/tmp/ts.stat
/tmp/ts.mpg
/tmp/foobar
/tmp/blockbar

the mpeg_encode program will use files named:
/tmp/foobar%d (where %d is a number which increments over time starting at 0)

the convert utilities eyuvtojpeg, vidtoeyuv, vidtojpeg, vidtoppm, and eyuvtoppm
all use /tmp/foobar when converting images
Comment 1 SpanKY gentoo-dev 2005-09-26 17:49:57 UTC
ive added mpeg-tools-1.5b-r2 (KEYWORD-ed -* for now) with three patches:
mpeg-tools-1.5b-tempfile-convert.patch
mpeg-tools-1.5b-tempfile-mpeg-encode.patch
mpeg-tools-1.5b-tempfile-tests.patch

i was able to test the ppm convert utilities, but i have no idea how to test the
jmovie or vid ones ;)

i tested most of the rewritten tests and it produces same results as unpatched
mpeg_tools

the mpeg-encode patch i really have no idea how to test ...
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-26 22:16:19 UTC
x86 please test and mark stable.  
Comment 3 Mark Loeser (RETIRED) gentoo-dev 2005-09-28 23:13:16 UTC
stable on x86
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-09-29 00:46:07 UTC
Amd64 arch team: could you add the ~amd64 keyword to benefit from the update ?
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-29 13:57:12 UTC
Let's have a GLSA vote while waiting for amd64. 
 
I tend to vote YES. 
Comment 6 SpanKY gentoo-dev 2005-09-29 15:24:43 UTC
i'd vote yes too since this can be triggered during by doing `emerge mpeg-tools`
and user has 'FEATURES=test' in make.conf :/
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-09-30 00:41:06 UTC
I vote YES too.
Still waiting on amd64 to mark 1.5b-r2 ~amd64
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-30 02:20:07 UTC
Fwded to vendor-sec, CAN number asked.
Comment 9 Simon Stelling (RETIRED) gentoo-dev 2005-09-30 13:36:47 UTC
amd64 stable
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-09-30 13:59:20 UTC
This is CAN-2005-3115
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-10-03 09:15:29 UTC
GLSA 200510-02