Summary: | media-video/vobcopy < 1.1.0 Insecure temporary file creation (CVE-2007-5718) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | jmalacho, media-video | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=448319 | ||||||
Whiteboard: | B3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2007-10-31 01:02:05 UTC
The bug is confirmed in the 0.5 series, we have 1.0.0 stable. The code has changed there, but it still does: ./vobcopy-1.0.0/vobcopy.c: if ( freopen( "/tmp/vobcopy.bla" , "a" , stderr ) == NULL ) I'm not a C expert, but that doesn't look right, or does freopen do some magic? (In reply to comment #1) > The bug is confirmed in the 0.5 series, we have 1.0.0 stable. The code has > changed there, but it still does: > > ./vobcopy-1.0.0/vobcopy.c: if ( freopen( "/tmp/vobcopy.bla" , "a" , stderr ) > == NULL ) > > I'm not a C expert, but that doesn't look right, or does freopen do some magic? No, freopen internally uses fopen so this is no fix for the security issue (haven't looked at the rest of the code). You can use 'x' as mode to open with O_EXCL but this is a gnu extension, so I propose doing this with open and use fdopen if you really need a FILE stream. Cheers nion Debian applied the attached patch to 1.0.2, not sure about upstream inclusion. A discussion with upstream can be found at $URL. Media-video, please apply. Created attachment 139225 [details, diff]
Relevant parts of vobcopy_1.0.2-1.diff
(In reply to comment #3) > Debian applied the attached patch to 1.0.2, not sure about upstream inclusion. > A discussion with upstream can be found at $URL. > > Media-video, please apply. > *ping* Okay so I'm slightly confused. Is it fixed in 1.0.2 or not? No, 1.0.2 is still affected, the attached patch was applied to the vanilla 1.0.2 tarball as shipped in Debian. Sorry if I was unclear. vobcopy 1.1.0 is out and it looks like he fixed it. "This release fixes the debian bug #448319 which got retitled CVE-2007-5718...." media-video, if some of you can bump this, it's greatly appreciated. 1.1.0 in the tree Arches please test and mark stable. Target keywords are: vobcopy-1.1.0.ebuild:KEYWORDS="amd64 ppc ppc64 sparc x86" x86 stable ppc64 stable Sparc done. ppc stable amd64 stable This one is ready for GLSA vote. I tend to vote YES. Fixed in release snapshot. YES, filed. GLSA 200803-11 |