Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 237483 (CVE-2008-3929)

Summary: www-apps/ampache <3.4.3 gather-messages.sh insecure temporary file creation (CVE-2008-3929)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: marineam
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3? [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 235770    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 14:01:31 UTC 
CVE-2008-3929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3929):
  gather-messages.sh in Ampache 3.4.1 allows local users to overwrite
  arbitrary files via a symlink attack on temporary files.
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-15 11:50:50 UTC 
ampache-3.4.3 is in the tree.

Targets:

  amd64 ppc x86
Comment 2 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-09-17 20:16:19 UTC 
amd64 stable.
Comment 3 Markus Meier gentoo-dev 2008-09-17 20:28:47 UTC 
x86 stable
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 18:54:38 UTC 
ppc stable
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 19:58:35 UTC 
glsa decision, voting YES.
Comment 6 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-21 13:30:41 UTC 
Removed ampache-3.3.3.5. Webapps done.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-22 12:37:55 UTC 
YES too, request filed.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-23 22:26:37 UTC 
GLSA 200812-22