Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 188808 - >=app-admin/sysstat-7.1 Insecure temporary file usage (CVE-2007-3852)
Summary: >=app-admin/sysstat-7.1 Insecure temporary file usage (CVE-2007-3852)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [] jaervosz
Depends on:
Reported: 2007-08-14 11:47 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-08-21 06:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

CVE-2007-3852.patch (CVE-2007-3852.patch,981 bytes, patch)
2007-08-14 11:48 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 11:47:11 UTC
The init script handles /tmp/ in an unsafe manner.

Credit should go to Julien L.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 11:48:43 UTC
Created attachment 128039 [details, diff]

Upstream patch that will be applied to the next release.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 11:51:29 UTC
jer, please advise and patch as necessary.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-14 17:14:01 UTC
Which is the next release? Not the development branch (7.1*), I would think.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 17:29:07 UTC
I'm not sure, but I guess the fix for the stable version is pretty close to the patch attached.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-14 18:11:35 UTC
The patch doesn't apply to the stable 7.0*.
The patch does apply to the unstable 7.1*.

Sadly I cannot access the details of this CVE. I am changing the summary hoping to catch all vulnerable versions.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-14 18:22:56 UTC
It seems the init.d script from upstream isn't even installed by our ebuild. Instead ${FILESDIR}/sysstat.init.d is installed, so currently we are not vulnerable at all.

I could change the ebuild to put the patched upstream init.d script in /usr/share/doc*, though. Then we'd have somewhat of a vulnerability! :)
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-21 06:13:50 UTC
Thx for the info Jeroen. I should have looked more closely before filing this.