| Summary: | >=app-admin/sysstat-7.1 Insecure temporary file usage (CVE-2007-3852) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED INVALID | ||||||
| Severity: | normal | CC: | jer | ||||
| Priority: | High | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | B3 [] jaervosz | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Attachments: |
|
||||||
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2007-08-14 11:47:11 UTC
Created attachment 128039 [details, diff]
CVE-2007-3852.patch
Upstream patch that will be applied to the next release.
jer, please advise and patch as necessary. Which is the next release? Not the development branch (7.1*), I would think. I'm not sure, but I guess the fix for the stable version is pretty close to the patch attached. The patch doesn't apply to the stable 7.0*. The patch does apply to the unstable 7.1*. Sadly I cannot access the details of this CVE. I am changing the summary hoping to catch all vulnerable versions. It seems the init.d script from upstream isn't even installed by our ebuild. Instead ${FILESDIR}/sysstat.init.d is installed, so currently we are not vulnerable at all.
I could change the ebuild to put the patched upstream init.d script in /usr/share/doc*, though. Then we'd have somewhat of a vulnerability! :)
Thx for the info Jeroen. I should have looked more closely before filing this. |