Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 285861 (CVE-2009-4664)

Summary: <net-firewall/fwbuilder-3.0.7 Insecure temporary file creation (CVE-2009-4664)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: dev-zero, maintainer-needed
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Description Flags
3.0.7-secure-mktemp.patch none

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-21 20:45:05 UTC
Upstream release notes:
Fixed security issue with temporary file handling in the generated iptables script. The problem only affects Linux systems where Firewall Builder is used to generate static routing configuration. The problem exists in Firewall Builder versions 3.0.4, 3.0.5, 3.0.6

3.0.7 was released to fix this issue, however in, Jan Lieskovsky mentioned that the fix is not complete.
Upstream is informed. Let's wait for a reaction.
Comment 1 Tiziano Müller (RETIRED) gentoo-dev 2009-11-12 09:34:50 UTC
Created attachment 209994 [details, diff]

I just did a version bump including a patch written by me to fix the security issue.
Comment 2 Tiziano Müller (RETIRED) gentoo-dev 2009-11-12 09:35:51 UTC
Package compiles and runs fine here with the mentioned patch.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:29:45 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc ppc64 x86"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2010-03-08 17:43:39 UTC
ppc64 done
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-08 17:59:54 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2010-03-08 20:15:53 UTC
amd64 stable
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 21:55:16 UTC
Marked ppc stable.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 13:15:56 UTC
glsa request filed.
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2011-03-30 20:52:37 UTC
All affected versions removed from tree
Comment 10 Joshua Kinard gentoo-dev 2011-12-24 19:48:03 UTC
fwbuilder-3.0.7 is no longer in the tree.  Closing as OBSOLETE.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-12-27 05:24:53 UTC
Please do not close security bug--we need to publish a GLSA for this--thanks.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:37:10 UTC
This issue was resolved and addressed in
 GLSA 201201-11 at
by GLSA coordinator Sean Amoss (ackle).