| Summary: | <app-editors/gummi-0.6.6: insecure use of /tmp (CVE-2015-7758) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | minor | CC: | christian.tietz, hwoarang, proxy-maint | ||||||
| Priority: | Normal | ||||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://www.openwall.com/lists/oss-security/2015/10/08/4 | ||||||||
| Whiteboard: | B4 [noglsa] | ||||||||
| Package list: | Runtime testing required: | --- | |||||||
| Attachments: |
|
||||||||
Hmm I think the project may be somewhat dead but it may not be so hard to patch it anyway (In reply to Markos Chandras from comment #1) > Hmm I think the project may be somewhat dead but it may not be so hard to > patch it anyway Markos, do we want to patch this or tree-clean? 0.6.6 is out and fixes CVE-2015-7758 amongst other things. https://github.com/alexandervdm/gummi (In reply to Christian Tietz from comment #3) > 0.6.6 is out and fixes CVE-2015-7758 amongst other things. > > https://github.com/alexandervdm/gummi well, as a proxy maintainer, the task is to supply either a full ebuild with updates, or a unified diff of the current ebuild to generate the bumped version. That is merely a link to the repo site. (In reply to Ian Delaney from comment #4) > (In reply to Christian Tietz from comment #3) > > 0.6.6 is out and fixes CVE-2015-7758 amongst other things. > > > > https://github.com/alexandervdm/gummi > > well, as a proxy maintainer, the task is to supply either a full ebuild with > updates, or a unified diff of the current ebuild to generate the bumped > version. That is merely a link to the repo site. As far as I can see that isn't the actual proxied maintainer though :) As already pointed out I'm not proxy maintainer of this package. Rather an interested user who wanted to let you know about the new release. Created attachment 424458 [details]
gummi-0.6.6.ebuild
FWIW, I made an ebuild for 0.6.6 based on gummi-9999 (which is in portage). Builds and runs fine in my local overlay.
this is in fact a candidate for tree cleaning This was fixed in 0.6.5-6 upstream: http://anonscm.debian.org/cgit/debian-science/packages/gummi.git/diff/?id=7d13b0b Still a valid candidate for tree cleaning. @maintainers, please bump to 0.6.6. After the bump, if it is ready for stabilization please request for it in this bug. I'm just some insignificant user. However, since the actual proxied maintainer and developer apparently shares no interest in this, I would also opt for tree clean. Gummi is nice because of the live preview. However, there are good if not better and most importantly well maintained TeX editors in the tree. Please tree clean at will. (In reply to Christian Tietz from comment #10) > I'm just some insignificant user. However, since the actual proxied > maintainer and developer apparently shares no interest in this, I would also > opt for tree clean. Gummi is nice because of the live preview. However, > there are good if not better and most importantly well maintained TeX > editors in the tree. Please tree clean at will. Christian, if you would like to proxy-maintain[1] the package you can do so. Just simply let us know and we will mark the metadata accordingly. [1]: https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers I use LaTeX almost on a daily basis, however, gummi is not my main editor. Still I would hate to see this go, for the live preview pane is plain awesome at times. Since upstream has reappeared – not here but on GitHub – I assume it is worth to be kept in the tree. Therefore, I would in fact like to proxy-maintain this to the best of my ability. So if it meets your standards, please take my ebuild from comment #7 for 0.6.6. Created attachment 426772 [details]
gummi-0.6.6.ebuild
I polished the ebuild a litte bit.
commit 47994450134a2d20c0484995a2080346f18442c2 (HEAD -> master) Merge: 68d3cb1 2209968 Author: Patrice Clement <monsieurp@gentoo.org> Date: Sun Feb 28 19:04:33 2016 +0000 Merge github#934: app-editors/gummi: version bump to 0.6.6. This PR updates app-editors/gummi to version 0.6.6 and fixes CVE-2015-7758 courtesy of Christian Tietz <christian.tietz@mailbox.org>. Pull-Request: https://github.com/gentoo/gentoo/pull/934 Gentoo-Bug: https://bugs.gentoo.org/562894 Reporter: Christian Tietz <christian.tietz@mailbox.org> Acked-by: Patrice Clement <monsieurp@gentoo.org> Signed-off-by: Patrice Clement <monsieurp@gentoo.org> Christian, feel free to call for stabilisation and CC the relevant arch teams in. Also, arch teams will expect you to clean up unsecured versions of gummi. It can also be done through a PR. Thanks. (In reply to Christian Tietz from comment #10) > I'm just some insignificant user. However, since the actual proxied > maintainer and developer apparently shares no interest in this, I would also > opt for tree clean. Gummi is nice because of the live preview. However, > there are good if not better and most importantly well maintained TeX > editors in the tree. Please tree clean at will. Christian, insignificant? I think not. Thank you for the work and I hope you continue to contribute to Gentoo! Thanks. It's a pleasure to finally contribute to your great distribution. CC'ing arches now since this is a security bug. As suggested, I'll send a new PR to clean up after stabilization. Arches, please test and mark stable: =app-editors/gummi-0.6.6 Target KEYWORDS="amd64 x86" commit 615b8751bd0159031a45839dba796a249c604a3f (HEAD -> master) Merge: 68fe8d1 91163b7 Author: Patrice Clement <monsieurp@gentoo.org> Date: Tue Mar 1 20:12:45 2016 +0000 Merge github#955: app-editors/gummi: minor fixes This PR: - trims whitespaces - drops base.eclass Pull-Request: https://github.com/gentoo/gentoo/pull/955 Gentoo-Bug: https://bugs.gentoo.org/562894 Reporter: Christian Tietz <christian.tietz@mailbox.org> Acked-by: Patrice Clement <monsieurp@gentoo.org> Signed-off-by: Patrice Clement <monsieurp@gentoo.org> amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. I submitted a PR to clean up. https://github.com/gentoo/gentoo/pull/1062 (In reply to Christian Tietz from comment #21) > I submitted a PR to clean up. > > https://github.com/gentoo/gentoo/pull/1062 Cleanup complete. Thanks. |
From ${URL} : I request a CVE for Gummi (LaTeX editor with preview pane) [1], the current release is 0.6.5. The program uses predictable filenames for files in /tmp, which produces a race condition [2]. [1] https://github.com/alexandervdm/gummi [2] https://bugs.debian.org/756432 gummi: Uses predictable filenames in /tmp based on basename @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.