Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 65647

Summary: media-libs/netpbm: temporary file bugs
Product: Gentoo Security Reporter: Alin Năstac (RETIRED) <mrness>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0146
Whiteboard: B3 [glsa] koon
Package list:
Runtime testing required: ---

Description Alin Năstac (RETIRED) gentoo-dev 2004-09-28 00:47:33 UTC 
Package name:           netpbm
 Advisory ID:            MDKSA-2004:011-1
 Date:                   September 27th, 2004
 Original Advisory Date: February 11th, 2004
 Affected versions:	 10.0, 9.2, Corporate Server 2.1,
			 Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 A number of temporary file bugs have been found in versions of NetPBM.
 These could allow a local user the ability to overwrite or create
 files as a different user who happens to run one of the the vulnerable
 utilities.

Update:

 The patch applied made some calls to the mktemp utility with an
 incorrect parameter which prevented mktemp from creating temporary
 files in some scripts.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-28 01:01:20 UTC 
graphics please confirm and provide a fixed ebuild if necessary.

Mandrake Advisory here:

http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:011-1
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-29 22:21:54 UTC 
Version 10 is unaffected by this. Graphics please patch 9.12 or advise which version above 9.20 to mark stable.
Comment 3 Philip Walls (RETIRED) gentoo-dev 2004-09-30 07:03:55 UTC 
Since 10.20 is already stable on amd64 and ppc64, can we try stablizing other arches on this version? It's been around since February 2004
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-09-30 07:54:52 UTC 
Yes I think we should have all arches mark a version (>=10.0) of their choice stable, so that we can get rid of the last 9.x version. Most arches already have.

Calling missing arches : hppa mips ppc sparc x86
Please test and mark 10.20 (or any other >=10 version) stable.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-30 12:16:58 UTC 
sparc stable.
Comment 6 Jochen Maes (RETIRED) gentoo-dev 2004-10-01 10:27:50 UTC 
stable on ppc
Comment 7 Jochen Maes (RETIRED) gentoo-dev 2004-10-02 03:47:40 UTC 
forgot to remove it :-)
Comment 8 Olivier Crete (RETIRED) gentoo-dev 2004-10-02 14:29:39 UTC 
10.20 stable on x86
Comment 9 SpanKY gentoo-dev 2004-10-02 21:58:04 UTC 
hppa/ia64 stable
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-10-03 06:30:08 UTC 
I'll draft the GLSA
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-04 10:33:41 UTC 
GLSA 200410-02