Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 122705 - app-text/noweb,sci-mathematics/axiom - insecure temporary file creation (CVE-2005-3342)
Summary: app-text/noweb,sci-mathematics/axiom - insecure temporary file creation (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-13 09:58 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-02-26 08:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
noweb-2.9-insecure-tmp-file.patch (noweb-2.9-insecure-tmp-file.patch,1.51 KB, patch)
2006-02-17 04:44 UTC, Martin Ehmsen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-02-13 09:58:41 UTC
from DSA 968-1:

Javier Fern
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-13 09:58:41 UTC
from DSA 968-1:

Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that a script in noweb, a web like literate-programming
tool, creates a temporary file in an insecure fashion.


Interesting to not is that there was a similar issue years ago ( bug 22972 ). The DSA is too unspecific to say if the same problem reappeard.
Comment 2 Tim Yamin (RETIRED) gentoo-dev 2006-02-13 11:32:18 UTC
sci-mathematics/axiom might be affected by this as it includes its own noweb...
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-02-16 12:56:19 UTC
text-markup please advise
Comment 4 Martin Ehmsen (RETIRED) gentoo-dev 2006-02-17 04:44:15 UTC
Created attachment 80004 [details, diff]
noweb-2.9-insecure-tmp-file.patch

I have fixed it in CVS for noweb.
The problem was much the same as the old bug, just in some new files.
I took the debian patch and extracted the difference (see the attachment) and added it to the old noweb-2.9-security.patch and bumped both the unstable and stable revision.

@plasmaroo: The attachment is for your sake, if it applies to axiom as well.

Btw. this is my first response to a security bug, so please tell me if I did anything wrong :)
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-02-17 13:43:41 UTC
Looks good to me. ready for glsa vote.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-02-21 10:40:21 UTC
I tend to vote yes.
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-23 12:09:15 UTC
ok, lets have a glsa
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-02-26 08:34:41 UTC
GLSA 200602-14