|Summary:||sys-apps/groff: Insecure tmpfile use|
|Product:||Gentoo Security||Reporter:||Thierry Carrez (RETIRED) <koon>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [glsa] koon|
|Package list:||Runtime testing required:||---|
Description Thierry Carrez (RETIRED) 2004-10-21 07:55:36 UTC
CAN-2004-0969 The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
Comment 1 Thierry Carrez (RETIRED) 2004-10-21 08:04:30 UTC
Patch on RedHat bug doesn't apply to our groffer either... but it looks vulnerable nevertheless. Maybe we should wait for RedHat to patch and see if it applies ?
Comment 2 Thierry Carrez (RETIRED) 2004-10-28 00:52:15 UTC
The 1.19 patch posted on the RedHat bug (see URL) should apply to 1.19-r1. Then we could push 1.19 to stable on all arches. It's probably simpler than backporting the fix for 1.18. base-system/vapier: please have a look :)
Comment 3 SpanKY 2004-10-28 19:45:08 UTC
umm, we dont have 1.19-r1 we have 1.19.1-r1 ... and dont lie to me, but that patch doesnt even come CLOSE to applying cleanly to 1.19.1-r1 ;) i just moved 1.19.1-r1 to stable for unrelated reasons, and many other arches already have it as stable ... current KEYWORDS: KEYWORDS="alpha amd64 arm hppa ia64 ~mips ~ppc ~ppc64 s390 ~sparc x86" figure out what you wanna do :)
Comment 4 Thierry Carrez (RETIRED) 2004-10-29 00:45:04 UTC
heh, blame Mark Cox :)
Comment 5 Matthias Geerdsen (RETIRED) 2004-11-02 02:27:44 UTC
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278265 Debian bug report with backported patch
Comment 6 Thierry Carrez (RETIRED) 2004-11-02 05:48:41 UTC
Created attachment 43158 [details, diff] Patch from Debian Patch from Debian bug. Applies correctly : patching file contrib/groffer/groffer.sh Hunk #1 succeeded at 3217 (offset -11 lines).
Comment 7 SpanKY 2004-11-02 16:35:57 UTC
i assume that's for groff-1.18.1 ... why should we bother ? groff-1.19.1 looks like this now: groff-1.19.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ~ppc ~ppc64 s390 sparc x86"
Comment 8 Thierry Carrez (RETIRED) 2004-11-03 00:50:11 UTC
No, the patch applies to 1.19.1-r1 AFAICT 1.19.1-r1 is still vulnerable, that's why we should care.
Comment 9 SpanKY 2004-11-03 16:02:19 UTC
touche salesman groff-1.19.1-r2 now in cvs with aforementioned patch
Comment 10 Thierry Carrez (RETIRED) 2004-11-04 00:30:26 UTC
Arches please test and mark stable. Note that the only difference with 1.19.1-r1 (for those arches having that version stable) is the tempfile handling in the groffer utility.
Comment 11 Bryan Østergaard (RETIRED) 2004-11-04 03:27:37 UTC
Stable on alpha.
Comment 12 Gustavo Zacarias (RETIRED) 2004-11-04 05:37:34 UTC
Comment 13 Akinori Hattori 2004-11-04 06:07:53 UTC
Please apply this fix to 1.18 too. multibyte patch for 1.19 is not yet released.
Comment 14 Markus Rothe (RETIRED) 2004-11-04 09:20:50 UTC
groff-1.19.1-r2 is now tested and marked stable on ppc64. Markus
Comment 15 Travis Tilley (RETIRED) 2004-11-04 09:37:08 UTC
stable on amd64
Comment 16 SpanKY 2004-11-04 19:01:41 UTC
if someone posts a patch that'll apply cleanly to 1.18.1-r4 i'll add a 1.18.1-r5
Comment 17 SpanKY 2004-11-04 19:08:00 UTC
moved arm/hppa/ia64/s390/x86 to stable with 1.19.1-r2
Comment 18 Lars Weiler (RETIRED) 2004-11-04 20:25:42 UTC
Comment 19 Hardave Riar (RETIRED) 2004-11-05 01:35:27 UTC
Stable on mips.
Comment 20 Thierry Carrez (RETIRED) 2004-11-06 01:14:19 UTC
ppc64 is stable... ppc64: please remove yourself from Cc when you mark stable. Security, please vote on GLSA need. Maybe a grouped GLSA with the davfs and openssl ones ?
Comment 21 Akinori Hattori 2004-11-06 02:18:44 UTC
Created attachment 43389 [details] groff-188.8.131.52.ebuild groff-184.108.40.206.ebuild with updated Debian patch.
Comment 22 Sune Kloppenborg Jeppesen 2004-11-06 04:01:55 UTC
I vote for a grouped GLSA on this one as well.
Comment 23 Thierry Carrez (RETIRED) 2004-11-06 05:36:51 UTC
waiting on davfs2 x86 stable
Comment 24 Thierry Carrez (RETIRED) 2004-11-07 10:27:13 UTC
davfs will take too much time, issuing GLSA with only openssl and groff
Comment 25 Thierry Carrez (RETIRED) 2004-11-08 02:51:03 UTC