Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 54890

Summary: app-arch/gzip: Insecure creation of temporary files
Product: Gentoo Linux Reporter: Aron Griffis (RETIRED) <agriffis>
Component: [OLD] Core systemAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chriswhite
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A1 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Aron Griffis (RETIRED) gentoo-dev 2004-06-23 07:39:27 UTC 
Bug 22483 describes a security issue with tempfile creation in znew and gzexe.  That problem was theoretically fixed and a glsa sent out.

However the patch doesn't check the exit status of the tempfile command.  If tempfile should fail, then it's possible for a rogue command to be executed a few lines later in the script.

I've fixed the patch and bumped the stable rev to 1.3.3-r3 to carry out the change.  At this point we just need a GLSA.  Somebody from security mind handling that?
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-23 11:18:17 UTC 
GLSA drafted
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-24 06:52:52 UTC 
GLSA updated with unaffected version -r4 and better description. Security please review.

Note: Changelog is not updated with new -r4
Comment 3 Kurt Lieber (RETIRED) gentoo-dev 2004-06-24 08:14:46 UTC 
glsa 200406-18
Comment 4 Aron Griffis (RETIRED) gentoo-dev 2004-06-24 12:16:43 UTC 
> Note: Changelog is not updated with new -r4

That was a ChangeLog error: it said -r3 instead of -r4.  I just fixed it now.