Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 235809 (CVE-2008-4956)

Summary: <net-firewall/fwbuilder-3.0.3: audit wrt insecure temp file usage (CVE-2008-4956)
Product: Gentoo Security Reporter: Christian Hoffmann (RETIRED) <hoffie>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: asl, dev-zero, maintainer-needed
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://bugs.debian.org/496406
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 228621    
Bug Blocks: 235770    

Description Christian Hoffmann (RETIRED) gentoo-dev 2008-08-26 17:34:49 UTC 
See $URL and bug 235770.
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2008-11-06 17:06:05 UTC 
I assume I was added because I touched this package to fix a bug report submitted by a user. However, it was merely an attempt to improve QA in gentoo ;) I don't use this package so..meh.
Comment 2 Petteri Räty (RETIRED) gentoo-dev 2008-11-06 20:07:43 UTC 
I was only nuking built_with_use usage.
Comment 3 Tiziano Müller (RETIRED) gentoo-dev 2009-03-17 15:58:45 UTC 
I just committed fwbuilder-3.0.3 which isn't affected anymore (at least, the affected script is gone in the new version and also debian doesn't have any special patch anymore for this version).
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-17 17:38:39 UTC 
Arches, please test and mark stable:
=net-firewall/fwbuilder-3.0.3
Target keywords : "amd64 ppc ppc64 sparc x86"
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-03-18 21:50:45 UTC 
~ppc and ~ppc64 and removed us from CC.  If the intent was to go to straight stable, then re-add us
Comment 6 Tiziano Müller (RETIRED) gentoo-dev 2009-03-20 14:01:34 UTC 
@security: I dropped all keywords when bumping from 2.1 to 3.0. Please specify whether stable keywords are wanted (I assume yes). Please also note that alpha has 2.0 stable (which is also affected) but can't keyword >=2.1 because of the implicit java dependency (due to antlr). They agreed that their keyword gets dropped completely.
Comment 7 Markus Meier gentoo-dev 2009-04-15 19:43:33 UTC 
amd64/x86 stable
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-07-18 17:17:46 UTC 
Arches, please test and mark stable:
=net-firewall/fwbuilder-3.0.3
Target keywords : "amd64 ppc ppc64 sparc x86"
Already stabled : "amd64 x86"
Missing keywords: "ppc ppc64 sparc"
Comment 9 nixnut (RETIRED) gentoo-dev 2009-07-19 18:34:25 UTC 
ppc stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-07-26 13:49:24 UTC 
ppc64 done
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-27 22:29:20 UTC 
sparc: ping
Comment 12 Tiago Cunha (RETIRED) gentoo-dev 2009-11-29 20:05:55 UTC 
sparc keyword dropped from the vulnerable version. We'll probably keyword a new one (on bug #228621) when we have a working JDK. Sorry for the delay.
Comment 13 Arnaud Launay 2010-01-21 15:10:29 UTC 
I think this might be related to bug #285861 , maybe it would be time to shake a bit this ebuild ?
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:33:25 UTC 
GLSA Vote: yes.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:41:29 UTC 
glsa with #285861
Comment 16 Andreas K. Hüttel archtester gentoo-dev 2011-03-30 20:54:52 UTC 
Not in tree anymore
Comment 17 Joshua Kinard gentoo-dev 2011-12-24 19:47:50 UTC 
fwbuilder-3.0.3 is no longer in the tree.  Closing as OBSOLETE.
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2011-12-27 05:25:12 UTC 
Please do not close security bug--we need to publish a GLSA for this--thanks.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:37:02 UTC 
This issue was resolved and addressed in
 GLSA 201201-11 at http://security.gentoo.org/glsa/glsa-201201-11.xml
by GLSA coordinator Sean Amoss (ackle).