Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 66359

Summary: app-crypt/mit-krb5: Insecure tempfile handling
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: aliz, rphillips
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.securityfocus.com/advisories/7263
Whiteboard: B3 [stable+ x86] lewk
Package list:
Runtime testing required: ---
Attachments:
Description Flags
kerberos5-1.3.4-tempfile.patch none

Description Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:29:54 UTC 
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:30:52 UTC 
Created attachment 41098 [details, diff]
kerberos5-1.3.4-tempfile.patch

Trustix patch to fix insecure tempfile handling
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:31:55 UTC 
aliz/rphillips,

please verify and apply patch if necessary.
Comment 3 Ryan Phillips (RETIRED) gentoo-dev 2004-10-14 15:33:10 UTC 
Reference: http://www.securityfocus.com/advisories/7263

The patch applies cleanly to 1.3.4 and 1.3.5.  1.3.4-r1 needs to be tested on all arch's, but 1.3.5-r1 has been created also and should remain unstable.
Comment 4 Luke Macken (RETIRED) gentoo-dev 2004-10-14 17:07:57 UTC 
archs, please mark mit-krb5-1.3.4-r1 stable.
Comment 5 Jochen Maes (RETIRED) gentoo-dev 2004-10-15 03:12:40 UTC 
stable on ppc
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-15 03:47:18 UTC 
Stable on alpha.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-10-15 07:30:57 UTC 
Stable on sparc.
Comment 8 Danny van Dyk (RETIRED) gentoo-dev 2004-10-16 07:21:41 UTC 
stable on amd64.
Comment 9 Hardave Riar (RETIRED) gentoo-dev 2004-10-16 15:04:50 UTC 
Stable on mips.
Comment 10 Akinori Hattori gentoo-dev 2004-10-17 05:54:46 UTC 
Stable on ia64.
Comment 11 Tom Gall (RETIRED) gentoo-dev 2004-10-18 21:22:41 UTC 
stable on ppc64
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-10-19 00:47:18 UTC 
GLSA blocked by missing x86 keyword... Could maintainer or x86 arch test and mark stable ?
Comment 13 Guy Martin (RETIRED) gentoo-dev 2004-10-20 04:55:42 UTC 
Done on hppa.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-10-25 06:22:46 UTC 
klieber marked stable on x86.
arm and s390 should mark stable to benefit from GLSA.

GLSA 200410-24