from DSA 968-1: Javier Fern
from DSA 968-1: Javier Fernández-Sanguino Peña from the Debian Security Audit project discovered that a script in noweb, a web like literate-programming tool, creates a temporary file in an insecure fashion. Interesting to not is that there was a similar issue years ago ( bug 22972 ). The DSA is too unspecific to say if the same problem reappeard.
sci-mathematics/axiom might be affected by this as it includes its own noweb...
text-markup please advise
Created attachment 80004 [details, diff] noweb-2.9-insecure-tmp-file.patch I have fixed it in CVS for noweb. The problem was much the same as the old bug, just in some new files. I took the debian patch and extracted the difference (see the attachment) and added it to the old noweb-2.9-security.patch and bumped both the unstable and stable revision. @plasmaroo: The attachment is for your sake, if it applies to axiom as well. Btw. this is my first response to a security bug, so please tell me if I did anything wrong :)
Looks good to me. ready for glsa vote.
I tend to vote yes.
ok, lets have a glsa
GLSA 200602-14