Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 209927 (CVE-2008-0665)

Summary: dev-lang/wml < 2.0.11-r3 Insecure temp file usage (CVE-2008-0665, CVE-2008-0666)
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: graaff
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/28856/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-12 21:31:47 UTC 
Some security issues have been reported in Website META Language, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issues are caused due to insecure handling of temporary files in wml_backend/p1_ipp/ipp.src, wml_contrib/wmg.cgi, and wml_backend/p3_eperl/eperl_sys.c. This can be exploited via symlink attacks to overwrite or delete arbitrary files with the privileges of the user running the program.

The security issues are reported in version 2.0.11. Other versions may also be affected.

Solution:
Restrict access to the temporary directory to trusted users only.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-12 21:42:24 UTC 
here's the patch, courtesy of Debian:
http://people.debian.org/~nion/nmu-diff/wml-2.0.11-3_2.0.11-3.1.patch

Hans, please bump.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-26 20:39:31 UTC 
Hans, please bump.
Comment 3 Hans de Graaff gentoo-dev Security 2008-02-27 05:45:25 UTC 
Apologies for the delay: vacations and real-life have been getting in the way. I hope to be able to get to it this weekend at the latest.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-27 08:16:08 UTC 
Hans, that sounds fine. Next time just post an update the first time so we know what to do:-)
Comment 5 Hans de Graaff gentoo-dev Security 2008-02-29 06:42:48 UTC 
The attached patch seems to break wml... I'll see what I can do over the weekend, but this does change the level of work needed.
Comment 6 Hans de Graaff gentoo-dev Security 2008-02-29 15:32:34 UTC 
I've just added wml-2.0.11-r3 to the tree with a reworked version of the Debian patch. I'd like to give it a few days as unstable to catch any remaining bugs.
Comment 7 Hans de Graaff gentoo-dev Security 2008-03-05 19:29:39 UTC 
No bug reports so far and seems to work fine on my own sites. I think we can mark this stable now.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 20:37:01 UTC 
Arches, please test and mark stable:
=dev-lang/wml-2.0.11-r3
Target keywords : "amd64 ia64 ppc release s390 sparc x86"
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-05 20:51:28 UTC 
ppc stable
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-06 07:19:47 UTC 
x86 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-03-06 12:39:37 UTC 
ia64/sparc stable
Comment 12 Steve Dibb (RETIRED) gentoo-dev 2008-03-10 14:58:19 UTC 
amd64 stable
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-03-10 16:00:14 UTC 
Fixed in release snapshot.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-11 17:28:55 UTC 
Ready for vote.

I vote YES.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-11 22:05:45 UTC 
yes too, request filed.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-15 20:59:32 UTC 
GLSA 200803-23