Bug 26715

Summary:	app-emacs/liece
Product:	Gentoo Linux	Reporter:	Daniel Ahlberg (RETIRED) <aliz>
Component:	New packages	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	usata
Priority:	Highest
Version:	1.0
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Daniel Ahlberg (RETIRED) gentoo-dev

2003-08-16 07:32:06 UTC

-------------------------------------------------------------------------- 
Debian Security Advisory DSA 341-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
July 7th, 2003                          http://www.debian.org/security/faq 
-------------------------------------------------------------------------- 
 
Package        : liece 
Vulnerability  : insecure temporary file 
Problem-Type   : local 
Debian-specific: no 
 
liece, an IRC client for Emacs, does not take appropriate security 
precautions when creating temporary files.  This bug could potentially 
be exploited to overwrite arbitrary files with the privileges of the 
user running Emacs and liece, potentially with contents supplied 
by the attacker.

Comment 1 Mamoru KOMACHI (RETIRED) gentoo-dev

2003-08-17 12:29:46 UTC

I committed liece-1.4.10-r1.ebuild (liece-1.4.10.ebuild is the
latest stable) to fix insecure temporary file creation.  I also added
liece-2.0.0_alpha20030526.ebuild (alpha version of CVS snapshot),
which doesn't seem to have the security hole.  I'm working on patching
up liece-1.4.7.ebuild but I fail to run liece-1.4.7.ebuild, so it will
need some time to fix.  (Should I mask it in package.mask for a while?)

Comment 2 solar (RETIRED) gentoo-dev

2003-09-22 00:17:13 UTC

Mamoru, 
Thanks for fixing this bug, I dont really see us sending out a GLSA after all this time if one has not already been sent.
I'm changing resolution to FIXED