Summary: | app-editors/vim < 7.2 configure.in Makefile-conf temporary file issue (CVE-2008-3294) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | fmccor, vim |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://thread.gmane.org/gmane.comp.security.full-disclosure/62082 | ||
Whiteboard: | A1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2008-07-25 00:53:57 UTC
Just for reference, here's a reproducer. create /tmp/Makefile-conf$$ with the expected PID range, 644 mode and following content: __: echo echo "Hey there" echo id echo whoami echo pwd then "emerge vim" ... checking Python's configuration directory... /usr/lib/python2.5/config auto/configure: line 4858: /tmp/Makefile-conf2247: Permission denied echo Hey there Hey there id uid=250(portage) gid=250(portage) groups=250(portage) whoami portage pwd /var/tmp/portage/app-editors/vim-7.1.319/work/vim71/src There's a patch for this issue against 7.2b, but the patch also applies to 7.1 ftp://ftp.vim.org/pub/vim/unstable/patches/7.2b/7.2b.014 {vim,gvim}-7.2 are in CVS. Arches, please test and mark stable: =app-editors/vim-7.2 =app-editors/vim-core-7.2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" =app-editors/gvim-7.2 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Sparc stable, even if rushed. Works fine for me, and this looks like a rather unpleasant security bug. alpha/ia64/x86 stable ppc & ppc64 Stable for HPPA. amd64 stable This issue has been fixed since Aug 15, 2008. No GLSA will be issued. |