Hello, Take a look at : src/callbacks.c 1702 // Pipe print command and voila!, the doc is printed. 1703 strcat(print_command, " /tmp/gwcc_out.txt"); And also into : src/utils.c 94 else if (strcmp(operation, "temp") == 0) { 95 strcat(file_name, "/tmp/gwcc_out.txt"); Regards.
yes, confirmed.
Created attachment 67477 [details, diff] security fix suggested quick fix.
Let us know when upstream is aware.
Hello, Email send to upstream : sfbrent@users.sourceforge.net Regards.
Hello, No upstream response. Disclosure the 30/09/2005 Send to vendor-sec@lst.de Regards.
opening
*** Bug 106185 has been marked as a duplicate of this bug. ***
Gnome team: please apply patch (or make your own) ================================================= Candidate: CAN-2005-2944 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2944 Reference: VULNWATCH:20050916 gwcc insecure temporary file creation Reference: MISC:http://www.zataz.net/adviso/gwcc-09052005.txt Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=104566 Reference: SECUNIA:16833 Reference: URL:http://secunia.com/advisories/16833 The perform_file_save function in GNOME Workstation Command Center (gwcc) allows local users to create and overwrite arbitrary files via a symlink attack on the gwcc_out.txt temporary file.
Two possible solutions here: Either a security bug for all arches to bump 0.9.8 to stable, or removing the package entirely. It is unmaintained, and has not been updated upstream for 3 years. I see no reason to patch the 4 year old stable version, rather than bump the 3 year old ~ version or remove the package entirely.
gwcc-0.9.8 has been marked stable on x86. Could other archs please do the same, then we'll remove the vulnerable version as suggested by Daniel.
CCing arches with ~ keywords
app-admin/gwcc-0.9.8 works on amd64.
stable on amd64
I don't think 0.9.8 is unaffected... In fact it contains the exact same vulnerable code... We need either to patch it or remove it (or prove me wrong) Unccing arches.
Then I'm in favour of removing it, mostly due to the fact that's it's been unmaintained for 3+ years. John and dang?
I think removing it is the best option.
I agree, it should be removed. I've masked it for the moment, and we can remove it.
Keeping the bug open to remember to remove it sometime in the future.
the attached patch has what looks like an unchecked strcpy()/strcat() ater a previous getenv() call. correct me if I am wrong but this looks like it fixes one problem and indirectly adds another.
gwcc is not suid or sgid, so its not an issue.
tavis true, just qa wise it's a little under par.
Doesn't matter, we're going to remove it rather than apply the patch anyway.
This appears to have been removed at some point so I'm just closing this one.