Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 367891 (CVE-2011-1920)

Summary: <sys-devel/pmake-1.111.3.1: Insecure temporary file usage (CVE-2011-1920)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alexanderyt
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626673
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-05-18 02:30:30 UTC 
From the Debian bug at $URL:

/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary
files insecurely, with predictable names (/tmp/_depend<PID>), and
without using $TMPDIR.

To reproduce, run the depend target in a BSD package like csh:

    /tmp/csh-20070713$ pmake -dx depend 2>&1 | grep /tmp/_depend
    + TMP=/tmp/_depend7338
    + mv /tmp/_depend7338 .depend

This applies to both lenny and squeeze.  Upstream is not affected as the
code was eliminated back in 2003:

    <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk#rev1.240>
    <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk#rev1.193>

Patch to use mktemp(1):

...

Even though the Debian bug says that upstream is not affected, I just checked our =sys-devel/pmake-1.111.1-r1 and it looks affected.
Comment 1 Alexis Ballier gentoo-dev 2011-07-07 20:17:52 UTC 
pmake-1.111.3.1 has the fix
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-07-08 04:29:27 UTC 
(In reply to comment #1)
> pmake-1.111.3.1 has the fix

Great, thanks.

Arches, please test and mark stable:
=sys-devel/pmake-1.111.3.1
Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-07-08 04:49:05 UTC 
amd64 ok
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-07-08 10:19:24 UTC 
ditto
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2011-07-08 11:48:54 UTC 
x86 stable. Thanks
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-07-09 07:38:07 UTC 
ppc/ppc64 stable
Comment 7 Markus Meier gentoo-dev 2011-07-10 10:32:00 UTC 
arm stable
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-07-10 14:21:05 UTC 
amd64 done. Thanks Agostino and Ian
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-07-10 14:28:41 UTC 
alpha/ia64/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-07-10 14:50:03 UTC 
Thanks, folks. GLSA Vote: yes.
Comment 11 Naohiro Aota gentoo-dev 2011-08-05 12:01:21 UTC 
Have this gone to GLSA or not yet? Is there any actions bsd team should take?
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 17:25:35 UTC 
(In reply to comment #11)
> Have this gone to GLSA or not yet? Is there any actions bsd team should take?

Hi, Naohiro.

There is no action for the bsd team. The security team has it from here. Thanks.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:19:31 UTC 
Vote: YES. New GLSA request filed.
Comment 14 Alexis Ballier gentoo-dev 2013-08-27 18:14:46 UTC 
nothing left to do for bsd
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 11:50:58 UTC 
This issue was resolved and addressed in
 GLSA 201310-17 at http://security.gentoo.org/glsa/glsa-201310-17.xml
by GLSA coordinator Sergey Popov (pinkbyte).