Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 201022 (CVE-2007-6209)

Summary: app-shells/zsh < 4.3.2-r3 insecure temporary file creation (CVE-2007-6209)
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: pipping, tove, usata
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-02 21:02:22 UTC 
zsh provides a difflog.pl script in /usr/share/zsh/4.3.4/Util/difflog.pl which uses insecurely created files in /tmp, same kind of issue than bug #198231. Thanks to Elias Pipping for noticing.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-02 21:09:01 UTC 
Mamoru, do you know if upstream is aware of this? We could modify the feynmf patch, but having an official corrected release from upstream would probably be better. Any opinion?
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-02 21:47:39 UTC 
(In reply to comment #1)
> Mamoru, do you know if upstream is aware of this? We could modify the feynmf
> patch, but having an official corrected release from upstream would probably be
> better. Any opinion?
> 

actually cc'ing maintainer :)
Comment 3 Torsten Veller (RETIRED) gentoo-dev 2007-12-03 18:09:55 UTC 
usata announced his retirement recently.

zsh devs are aware of the issue:
http://www.zsh.org/mla/workers/2007/msg01060.html and follow ups (especially <http://www.zsh.org/mla/workers/2007/msg01065.html>)
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 23:57:20 UTC 
Since the decision is going to be not to distribute that file, it should be removed from the ebuild.

Anyone in cc on this bug willing to maintain this baby? If not, we should ask the dev community.
Comment 5 Torsten Veller (RETIRED) gentoo-dev 2007-12-04 16:19:37 UTC 
I've just added two new ebuilds without difflog.pl (4.3.2-r3 and 4.3.4-r1).
(BTW upstream has fixed the issue in their repo.)

=app-shells/zsh-4.3.2-r3 should be stabilized again. Removing difflog.pl is the only substantial change.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 17:53:23 UTC 
Arches, please test and mark stable app-shells/zsh-4.3.2-r3.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-04 20:17:03 UTC 
ppc stable
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-04 20:19:40 UTC 
x86 stable
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-12-04 21:07:49 UTC 
ppc64 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-05 00:41:39 UTC 
Stable for HPPA.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-12-05 11:19:04 UTC 
alpha/ia64/sparc stable
Comment 12 Steve Dibb (RETIRED) gentoo-dev 2007-12-06 05:07:04 UTC 
amd64 stable
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:36:58 UTC 
voting time. I tend to vote No since the script usage seems to be extremely unlikely, according to the zsh ml.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-12-09 01:28:43 UTC 
voting NO, too. closing.
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:55:25 UTC 
Does not affect current (2008.0) release. Removing release.