Summary: | dev-libs/log4sh <= 1.2.5 insecure temporary file creation | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Romang <zataz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | ka0ttic | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | C3 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Romang
2005-05-26 05:38:30 UTC
Eric: was this pushed upstream ? If so, any news ? If they don't answer we'll push our own patch in. Hello, Vendor notified. Regards. Created attachment 61570 [details, diff]
use mktemp instead of $$
suggested simple fix
Pulling in maintainer. It's in my overlay ready to commit whenever you guys give the word. Hello, Publish to vendor-sec@lst.de Regards Release date set to 20050704 Should we prepare a GLSA on this one ? Advisory is out. Aaron: you can commit the stuff. Security: please vote on GLSA need comitted, x86 stable. The config file is only used in specific cases, and log4sh isn't used in any Gentoo-provided package. Voting half-NO. I agree, NO Voting Voting ½ NO as well -> Closing without GLSA. Thx everyone. |