Summary: | <dev-python/logilab-common-0.61.0 : Two Insecure Temporary File Creation Security Issues (CVE-2014-{1838,1839}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/56720/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-01-31 08:54:34 UTC
Upstream have responded to the Debian issue and we may grab those two patches as is. Thank you for looking into it. Would you be able to link to the patches or relevant upstream bug? That would be great. (In reply to yegle from comment #1) > Upstream have responded to the Debian issue and we may grab those two > patches as is. (In reply to Dirkjan Ochtman from comment #2) > Thank you for looking into it. Would you be able to link to the patches or > relevant upstream bug? That would be great. Is this them? http://www.logilab.org/revision/207574 http://www.logilab.org/revision/210454 Yeah, that looks right, thanks! *logilab-common-0.60.1-r1 (27 Mar 2014) 27 Mar 2014; Ian Delaney <idella4@gentoo.org> +files/logilab-common-sec-CVE-2014-1838-9.patch, +logilab-common-0.60.1-r1.ebuild, -logilab-common-0.59.1.ebuild, -logilab-common-0.60.0.ebuild, -logilab-common-0.60.1.ebuild, logilab-common-0.61.0.ebuild: revbump; sec fix wrt sec Bug #499872, rm old unstable versions So; 1. Unstable old affected versions removed. 2. Only stable == logilab-common-0.58.1.ebuild 3. The logilab-common-0.61.0.ebuild has already had the changes applied. Either 0.60.1-r1 or 0.61.0 can be made stable. Selecting 0.61.0 will make these fresh additions un-needed. Either can do, however I'd favour 0.61.0 since it has py3 support. Let's stabilize 0.61.0, please. CVE-2014-1839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1839): The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file. CVE-2014-1838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1838): The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf. amd64 stable x86 stable ppc stable. Maintainer(s), please cleanup. Security, please vote. 07 Apr 2014; Ian Delaney <idella4@gentoo.org> -files/logilab-common-0.59.0-syntax.patch, -files/logilab-common-0.59.0-utf8-test.patch, -files/logilab-common-sec-CVE-2014-1838-9.patch, -logilab-common-0.58.1.ebuild, -logilab-common-0.60.1-r1.ebuild: rm old ebuilds & patches wrt sec bug #499872 done GLSA vote: no. GLSA vote: no Closing as noglsa |