Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 106105 - sys-apps/texinfo: Insecure temporary file creation (CAN-2005-3011)
Summary: sys-apps/texinfo: Insecure temporary file creation (CAN-2005-3011)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2005-09-15 13:43 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-10-08 01:56 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

texinfo-texindex-tempfile.patch (texinfo-texindex-tempfile.patch,1.55 KB, patch)
2005-09-25 02:06 UTC, SpanKY
no flags Details | Diff
texinfo-texindex-tempfile.patch (texinfo-texindex-tempfile.patch,1.59 KB, patch)
2005-09-29 00:38 UTC, SpanKY
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-15 13:43:51 UTC
Not sure wether this affects our version: 
There is a race condition on creating temporary files in texindex.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-09-16 02:02:48 UTC
Pulling in maintainer.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 06:12:08 UTC
I checked, our 4.8 is affected.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-09-21 05:45:27 UTC
base-system please advise...
Comment 4 SpanKY gentoo-dev 2005-09-25 00:33:37 UTC
seems to be fixed in texinfo-4.8 which has been in stable for all arches for
quite a while

texinfo-4.8 uses texindex.c rev 1.11 which is much higher than the fixed rev 1.4 :)
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-09-25 01:36:28 UTC
vapier: affected code (see is still in 4.8. I
think it's a different set of tempfile fixes. Debian's 4.7 version is affected
and 4.7 is based on rev 1.11, like 4.8.
Comment 6 SpanKY gentoo-dev 2005-09-25 02:06:10 UTC
Created attachment 69199 [details, diff]

indeed ... so what about this patch ?
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-09-25 05:44:47 UTC
Looks sane to me, but I may miss something (esp. in my current state), better
ask TheTavis to have a look.
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-26 05:31:34 UTC
Does the patch work?

I havnt looked at texinfo code but if i'm reading it correctly, it passes 
mkstemp a char* that ends with .123, iirc mkstemp expects it to end with XXX...

Does that new fd get released anywhere? otherwise this patch adds an fd leak.
Comment 9 SpanKY gentoo-dev 2005-09-26 05:56:39 UTC
indeed, that mkstemp should be changed to open() like in bsd
Comment 10 SpanKY gentoo-dev 2005-09-29 00:38:50 UTC
Created attachment 69463 [details, diff]

this should do it then
Comment 11 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-29 01:00:24 UTC
Yep, patch looks good to me.
Comment 12 SpanKY gentoo-dev 2005-09-29 01:52:15 UTC
texinfo-4.8-r1 now in portage then
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-29 02:38:41 UTC
Let the race begin, test and mark stable...
Comment 14 Fernando J. Pereda (RETIRED) gentoo-dev 2005-09-29 02:58:34 UTC
Looks fine on alpha, marked stable.

Comment 15 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-29 08:41:33 UTC
Stable on hppa, ppc.
Comment 16 Andrej Kacian (RETIRED) gentoo-dev 2005-09-29 09:56:14 UTC
x86 happy
Comment 17 Aaron Walker (RETIRED) gentoo-dev 2005-09-29 10:15:11 UTC
mips stable
Comment 18 Gustavo Zacarias (RETIRED) gentoo-dev 2005-09-29 10:26:44 UTC
sparc stable.
Comment 19 Markus Rothe (RETIRED) gentoo-dev 2005-09-30 11:18:03 UTC
stable on ppc64
Comment 20 Simon Stelling (RETIRED) gentoo-dev 2005-09-30 13:06:06 UTC
amd64 stable
Comment 21 MATSUU Takuto (RETIRED) gentoo-dev 2005-09-30 14:25:35 UTC
stable on sh.
Comment 22 Bryan Østergaard (RETIRED) gentoo-dev 2005-10-01 17:30:15 UTC
Stable on ia64.
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2005-10-05 05:48:42 UTC
GLSA 200510-04
arm and s390 should mark stable to benefit from GLSA
Comment 24 Gordon Malm (RETIRED) gentoo-dev 2005-10-07 16:01:59 UTC
Gentlemen, please see:
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2005-10-08 01:56:04 UTC
Apparently our patch sucks, SpanKY please see bug 108416 for details.