Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 237481 (CVE-2008-3928)

Summary: net-analyzer/honeyd < 1.5c-r1 test.sh insecure temporary file creation (CVE-2008-3928)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3? [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 235770    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 13:58:44 UTC 
CVE-2008-3928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3928):
  test.sh in Honeyd 1.5c might allow local users to overwrite arbitrary
  files via a symlink attack on temporary files.
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2008-09-15 17:28:55 UTC 
I've commited honeyd-1.5c-r1 which should fix this issue. The patch was taken from debian and basically it makes test.sh use /var/log instead of /tmp for log files. Please review and CC arch teams if everything is correct.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:41:04 UTC 
Arches, please test and mark stable:
=net-analyzer/honeyd-1.5c-r1
Target keywords : "amd64 sparc x86"
Comment 3 Markus Meier gentoo-dev 2008-09-20 13:02:26 UTC 
amd64/x86 stable
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-09-20 13:47:52 UTC 
sparc stable, closing
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2008-09-20 14:45:32 UTC 
D'oh, sorry
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-25 18:27:41 UTC 
time for glsa decision, I vote yes.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-18 20:31:39 UTC 
YES too, request filed.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-13 13:38:19 UTC 
GLSA 200812-12, thanks everyone, sorry about the "delay".