Summary: | media-gfx/aview <1.3.0_rc1-r1 insecure temp file usage (CVE-2008-4935) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Christian Hoffmann (RETIRED) <hoffie> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | maintainer-needed | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | http://bugs.debian.org/496422 | ||||||
Whiteboard: | B3? [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | |||||||
Bug Blocks: | 235770 | ||||||
Attachments: |
|
Description
Christian Hoffmann (RETIRED)
![]() Confirmed in version 1.3.0_rc1. File: /usr/bin/asciiview Line 6: rm $file Line 10, 70, 73: Piping output to $file Line 59: mkfifo $file (will probably just fail if already existing, program execution continues anyway) No patch from Debian yet. This package is maintained-needed. Created attachment 165209 [details, diff]
02_tmp_creation.patch
Debian patched it.
*aview-1.3.0_rc1-r1 (13 Sep 2008) 13 Sep 2008; Robert Buchholz <rbu@gentoo.org> +files/aview-1.3.0_rc1-includes.patch, +files/aview-1.3.0_rc1-tmp_creation.patch, +aview-1.3.0_rc1-r1.ebuild: Non-maintainer bump: Fix insecure temporary file creation in asciiview (bug #235808) Arches, please test and mark stable: =media-gfx/aview-1.3.0_rc1-r1 Target keywords : "amd64 ppc x86" amd64 stable http://www.shatters.net/~claurel/celestia/images/moon-ls-140.pnm <- file to test x86 stable ppc stable GLSA decision, voting YES. YES too, request filed. GLSA 200812-14, thanks everyone, sorry about the "delay". |