Bug 297377 (CVE-2009-4193)

Summary:	<sci-geosciences/merkaartor-0.17.2: symlink attack (CVE-2009-4193)
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	hanno, j-pi, jlec, sci-geosciences
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	296279

Description Stefan Behte (RETIRED) gentoo-dev

2009-12-18 01:20:31 UTC

CVE-2009-4193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4193):
  Merkaartor 0.14 allows local users to append data to arbitrary files
  via a symlink attack on the /tmp/merkaartor.log temporary file.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2009-12-18 01:21:12 UTC

No stable ebuild, so it's just ~3.

Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev

2010-01-17 13:12:58 UTC

0.14 is not even in the tree yet.
leaving open and block the 0.14 bump request.

more links:
https://bugzilla.redhat.com/show_bug.cgi?id=544284
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548546
http://trac.openstreetmap.org/ticket/2320

Comment 3 Justin Lecher (RETIRED) gentoo-dev

2010-06-24 11:45:18 UTC

Still valid for versions >0.14 ?
There is another bump request for 0.16.1 #311127

Comment 4 Pinky 2010-09-22 09:39:54 UTC

It's seems fixed (reported fixed in bugzilla and my test show that too)

Comment 5 Pinky 2011-04-18 22:37:45 UTC

hallo, someone alive?

Comment 6 Tomáš Chvátal (RETIRED) gentoo-dev

2011-06-09 20:33:52 UTC

0.17.2 is in main tree. No older versions around. This bug is thus not present in main tree. Feel free to close this.

Comment 7 Tim Sammut (RETIRED) gentoo-dev

2011-06-12 18:33:50 UTC

(In reply to comment #6)
> 0.17.2 is in main tree. No older versions around. This bug is thus not present
> in main tree. Feel free to close this.

Great, thanks. Closing noglsa for ~arch only package.