Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 235804

Summary: sci-biology/mafft: insecure temp file usage
Product: Gentoo Security Reporter: Christian Hoffmann (RETIRED) <hoffie>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: craig, sci-biology
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://bugs.debian.org/496366
Whiteboard: ~3? [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 235770    
Attachments:
Description Flags
suggested patch to fix insecure tempfile handling none

Description Christian Hoffmann (RETIRED) gentoo-dev 2008-08-26 17:24:52 UTC 
See $URL and bug 235770.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-26 19:03:48 UTC 
Yes, we ship /usr/bin/mafft-homologs.rb and it's vulnerable. I checked version 6.240, the vulnerable code is in line 37 and 38 of the mentioned script. There are way more occurences though. It allows for overwriting arbitrary files with a fixed content in the first cases.

Package has no stable version and is only keyworded for ~x86.

According to $URL, debian has developed a patch, see [1].

[1] http://svn.debian.org/wsvn/debian-med/trunk/packages/mafft/trunk/debian/patches/Securisation-by-mktemp-usage.patch?op=file&rev=0&sc=0
Comment 2 Donnie Berkholz (RETIRED) gentoo-dev 2008-08-26 23:32:29 UTC 
I'll handle this one.
Comment 3 Donnie Berkholz (RETIRED) gentoo-dev 2008-09-05 05:29:50 UTC 
Sorry, it turns out that I just don't have the time right now to fix this, because I just had a baby Monday. Could someone else please handle it?
Comment 4 Markus Dittrich (RETIRED) gentoo-dev 2008-09-05 13:23:14 UTC 
(In reply to comment #3)
> Sorry, it turns out that I just don't have the time right now to fix this,
> because I just had a baby Monday. Could someone else please handle it?
> 

Congratulations, Donnie! I'll take care of this one for you.

Best,
Markus
Comment 5 Markus Dittrich (RETIRED) gentoo-dev 2008-09-05 21:28:55 UTC 
Created attachment 164660 [details, diff]
suggested patch to fix insecure tempfile handling

I've attached a patch to fix the insecure tempfile issues for
further review. It is taken mostly from the fix developed by the debian 
folks together with mafft's upstream.

The ruby code uses the Tempfile class which will also take care of
removing the generated temporary files upon termination of the script.

Any feedback would be welcome.

Thanks,
Markus
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 16:01:36 UTC 
Markus, I didn't review the patch, but feel free to bump if it was coordinated with both upstream and Debian, and you verified it works.
Comment 7 Markus Dittrich (RETIRED) gentoo-dev 2008-09-23 12:42:49 UTC 
Hi Robert,

I've added mafft-6.240-r1 to the tree which contains this
patch. All vulnerable ebuilds have been removed from the tree.

Best,
Markus
Comment 8 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-23 14:18:45 UTC 
Thanks. ~arch-only packages are not subject to the GLSA process, closing as such.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 02:25:24 UTC 
*** Bug 245920 has been marked as a duplicate of this bug. ***