Summary: | >=app-admin/sysstat-7.1 Insecure temporary file usage (CVE-2007-3852) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED INVALID | ||||||
Severity: | normal | CC: | jer | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B3 [] jaervosz | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
![]() Created attachment 128039 [details, diff]
CVE-2007-3852.patch
Upstream patch that will be applied to the next release.
jer, please advise and patch as necessary. Which is the next release? Not the development branch (7.1*), I would think. I'm not sure, but I guess the fix for the stable version is pretty close to the patch attached. The patch doesn't apply to the stable 7.0*. The patch does apply to the unstable 7.1*. Sadly I cannot access the details of this CVE. I am changing the summary hoping to catch all vulnerable versions. It seems the init.d script from upstream isn't even installed by our ebuild. Instead ${FILESDIR}/sysstat.init.d is installed, so currently we are not vulnerable at all. I could change the ebuild to put the patched upstream init.d script in /usr/share/doc*, though. Then we'd have somewhat of a vulnerability! :) Thx for the info Jeroen. I should have looked more closely before filing this. |