Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 363887 (CVE-2011-3618)

Summary: <sys-process/atop-1.27_p3: Insecure temporary file usage (CVE-2011-3618)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alexanderyt, base-system, sping
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622794
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-04-16 21:31:17 UTC
According to the debian bug at $URL and the atop man page, atop creates temporary files insecurely. From $URL there is partial information:

"I've just noticed that atop keeps the runtime data in /tmp/atop* directories
or files (mentioned on man page too). I think it was established from a 
discussion on debian-devel@l.d.o that this is potentially a security
vulnerability. Probably it should keep its temporary runtime data in its own
directory under /var/run (or /run for next release)."
Comment 1 Sebastian Pipping gentoo-dev 2012-01-09 21:21:39 UTC
Adding CVE found at https://bugzilla.redhat.com/show_bug.cgi?id=745479
Comment 2 Sebastian Pipping gentoo-dev 2012-01-09 21:46:21 UTC
+*atop-1.26-r1 (09 Jan 2012)
+
+  09 Jan 2012; Sebastian Pipping <sping@gentoo.org> +atop-1.26-r1.ebuild,
+  +files/atop-1.26-cve-2011-3618.patch:
+  Integrate custom patch for CVE-2011-3618 (bug #363887)
+

1) Stabilize 1.26-r1 ?

2) Review wanted: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-process/atop/files/atop-1.26-cve-2011-3618.patch?view=markup
Comment 3 Sebastian Pipping gentoo-dev 2012-01-09 21:59:14 UTC
FYI I have notified upstream (Gerlof Langeveld) of the patch and issue.
Comment 4 SpanKY gentoo-dev 2012-01-13 19:20:28 UTC
this should be respecting $TMPDIR instead of hardcoding /tmp

alternatively, you could create a pipe, fork and exec gzip, and then return the read pipe side.  then you avoid the tempfile issue altogether.
Comment 5 Sebastian Pipping gentoo-dev 2012-07-23 11:59:02 UTC
FIY Upstream has released 1.27-3 yesterday which includes the patch from comment #2.

+*atop-1.27_p3 (23 Jul 2012)
+
+  23 Jul 2012; Sebastian Pipping <sping@gentoo.org> +atop-1.27_p3.ebuild:
+  Bump to 1.27-3
+
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-26 12:47:40 UTC
Thanks, Sebastian.

Arches, please test and mark stable:
=sys-process/atop-1.27_p3
Target KEYWORDS="~alpha amd64 hppa ppc x86"
Comment 7 Yixun Lan archtester gentoo-dev 2012-07-26 14:40:33 UTC
Archtested on x86: Everything fine
Comment 8 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2012-07-26 17:16:27 UTC
amd64: ok (builds, runs)
repoman complains about "RDEPEND is not explicitly assigned"
atop seems to require zlib and ncurses to run
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2012-07-26 19:20:13 UTC
Stable for HPPA.
Comment 10 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-27 05:33:43 UTC
x86 stable, thanks dlan.
Comment 11 Richard Freeman gentoo-dev 2012-07-27 15:25:43 UTC
amd64 stable 

Probably best to address any QA issues after-the-fact since this is a security bug.
Comment 12 Anthony Basile gentoo-dev 2012-07-27 19:58:29 UTC
Stable ppc64

I also keyworded ~arm.  I will probably also keyword ~ppc64 and ~mips.  This package is useful on all arches.
Comment 13 Anthony Basile gentoo-dev 2012-07-27 20:15:12 UTC
(In reply to comment #12)
> Stable ppc64

Bah!  I mean stable ppc.
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-27 20:51:10 UTC
Thanks, everyone.

GLSA vote: no.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2012-08-11 17:09:50 UTC
Thanks, folks. GLSA Vote: no too. Closing noglsa.