Summary: | dev-db/xmysqladmin <= 1.0 insecure temporary file creation && maybe more | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Romang <zataz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | mysql-bugs, rphillips |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Other | ||
Whiteboard: | B3 [ebuild+ masked] | ||
Package list: | Runtime testing required: | --- |
Description
Romang
2005-05-24 04:27:02 UTC
Yes, perhaps BACKUPDIR could be set to "." in the Makefile? Hello, Yes it's a solution. If the . directory is not world writable. Upstream should find another solution. I contact him, and propose him the . solution. Regards. Hello, No upstream response. Regards. *** Bug 95571 has been marked as a duplicate of this bug. *** public So we need to patch the Makefile (or remove the package) since upstream is silent. No maintainer... mysql herd, do you feel like taking this one ? rphillips: you're the only survivor in the old committers, let us know if you accept to patch again. I guess we'll have to mask/remove it if noone wants it. Koon: can you hard mask it in my place please ? Waiting approval from herd lead to remove it. Package masked on vivo's request. Bug kept open until complete removal. I don't agree that this is insecure temp file creation. the permissions of the created file in /tmp are 644. sure the design decision of creating /tmp/foo.tar.gz without checkign that it already exists isn't great, but it's not bad given that xmysqladmin is run with user permissions. it fails if the user doesn't have permissions to write there, provided your /tmp is set up correctly with the sticky bit. It looks like it should be acceptable to set umask(0077) before running tar. Any news on this one? MySQL herd doesn't really want to maintain this, since it's p.masked since a long time, I'd go for removal. If none speaks up, I'll send the last rites email tomorrow, and remove from the tree two weeks after that. Best regards, CHTEKK. Removed from Portage. Best regards, CHTEKK. |