Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 236205

Summary: <games-server/crossfire-server-1.11.0: Insecure temporary file creation
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: anmaster, games
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 235770    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-30 13:15:41 UTC 
The crossfire-maps ship a file that our ebuild installs as 
/usr/share/games/crossfire/maps/Info/combine.pl

The file creates files insecurely. It is my understanding that it is not needed by the server (debian does not install the file anymore), but we can also get proper tempfile handling into the script with the help from upstream.

This does not affect 1.9.0 (our stable).
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 17:09:29 UTC 
Games: please comment.
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2010-01-30 08:11:33 UTC 
So, a random, poorly-coded perl script that is installed in a directory not in any path, and never called by any installed binary is grounds for a security bug?  Seems pretty unnecessary.

I changed the package to not install that script anymore but this doesn't qualify as a security bug to me.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-22 19:30:37 UTC 
	  30 Jan 2010; Michael Sterrett <mr_bones_@gentoo.org>
	  crossfire-server-1.11.0.ebuild:
	  Skip install of combine.pl (bug #236205)

Closing as noglsa - vulnerable versions were ~arch only.