Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 188808

Summary: >=app-admin/sysstat-7.1 Insecure temporary file usage (CVE-2007-3852)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: jer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [] jaervosz
Package list:
Runtime testing required: ---
Description Flags
CVE-2007-3852.patch none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 11:47:11 UTC
The init script handles /tmp/ in an unsafe manner.

Credit should go to Julien L.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 11:48:43 UTC
Created attachment 128039 [details, diff]

Upstream patch that will be applied to the next release.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 11:51:29 UTC
jer, please advise and patch as necessary.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-14 17:14:01 UTC
Which is the next release? Not the development branch (7.1*), I would think.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 17:29:07 UTC
I'm not sure, but I guess the fix for the stable version is pretty close to the patch attached.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-14 18:11:35 UTC
The patch doesn't apply to the stable 7.0*.
The patch does apply to the unstable 7.1*.

Sadly I cannot access the details of this CVE. I am changing the summary hoping to catch all vulnerable versions.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-14 18:22:56 UTC
It seems the init.d script from upstream isn't even installed by our ebuild. Instead ${FILESDIR}/sysstat.init.d is installed, so currently we are not vulnerable at all.

I could change the ebuild to put the patched upstream init.d script in /usr/share/doc*, though. Then we'd have somewhat of a vulnerability! :)
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-21 06:13:50 UTC
Thx for the info Jeroen. I should have looked more closely before filing this.