Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235770 (debian-tempfile) - [Tracker] Tempfile issues found in Debian
Summary: [Tracker] Tempfile issues found in Debian
Status: RESOLVED FIXED
Alias: debian-tempfile
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.linux.d...
Whiteboard:
Keywords: Tracker
Depends on: CVE-2008-4982 CVE-2008-4998 235804 235805 CVE-2008-4936 CVE-2008-4935 CVE-2008-4956 235811 235812 CVE-2008-3931 CVE-2008-4937 235826 CVE-2008-4985 CVE-2008-5007 236205 CVE-2008-3928 CVE-2008-3929 CVE-2008-4190 CVE-2008-4191 CVE-2008-4938 CVE-2008-4952 CVE-2008-4957 CVE-2008-4976 CVE-2008-4983 CVE-2008-4953 CVE-2008-4968 CVE-2008-4993 CVE-2008-5151 CVE-2008-5154 CVE-2008-5155 CVE-2008-5137 CVE-2008-5136 CVE-2008-5138 CVE-2008-5188 248750 CVE-2008-5375 CVE-2008-5371 250553 CVE-2008-5368 CVE-2008-4959 CVE-2008-5377
Blocks:
  Show dependency tree
 
Reported: 2008-08-26 11:58 UTC by Robert Buchholz (RETIRED)
Modified: 2012-09-22 19:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-26 11:58:03 UTC
Moritz Mühlenhoff writes:
as part of the preparation of the upcoming Debian Lenny release 
someone checked the whole archive with a script for temp races
and found a few. Below is the list of issues identified so far.
More are pending, which haven't been checked for validity yet:

  - rkhunter 1.3.2-6 (low; http://bugs.debian.org/496375 )
  - scratchbox2 1.99.0.24-2 (low; http://bugs.debian.org/496409 )
  - realtimebattle 1.0.8-8 (low; http://bugs.debian.org/496385 )
  - mgt 2.31-6 (low; http://bugs.debian.org/496434 )
  - twiki 1:4.1.2-4 (low; http://bugs.debian.org/494648 )
  - mafft <unfixed> (low; http://bugs.debian.org/496366 )
  - xen-3 <unfixed> (low; http://bugs.debian.org/496367 )
  - mgetty <unfixed> (low; http://bugs.debian.org/496403 )
  - sympa <unfixed> (low; http://bugs.debian.org/496405; bug #494969 )
  - sng 1.0.2-6 (low; http://bugs.debian.org/496407 )
  - aview <unfixed> (low; http://bugs.debian.org/496422 )
  - fwbuilder <unfixed> (low; http://bugs.debian.org/496406 )
  - feta 1.4.16+nmu1 (low; http://bugs.debian.org/496397 )
  - postfix <unfixed> (unimportant; http://bugs.debian.org/496401 )
  NOTE: Not enabled by default, needs manual modification of a script
  - caudium <unfixed> (low; http://bugs.debian.org/496404 )
  - cdcontrol <unfixed> (low; http://bugs.debian.org/496438 )
  - sgml2x <unfixed> (low; http://bugs.debian.org/496368 )
  - dtc-common <unfixed> (low; http://bugs.debian.org/496362 )
  - liguidsoap <unfixed> (low; http://bugs.debian.org/496360 )
  - xmcd 2.6-21 (low; http://bugs.debian.org/496416 )
  - xcal 4.1-19 (low; http://bugs.debian.org/496393 )
  - r-base 2.7.2-1 (low; http://bugs.debian.org/496418 )
  - r-base-core-ra <unfixed> (low; http://bugs.debian.org/496363 )
  - openoffice.org <unfixed> (low; http://bugs.debian.org/496361 )
  [etch] - openoffice.org <not-affected> (Vulnerable code not present )
  NOTE: also not present in 3.0.0, only in 2.4.1. Fix pending upload.
  - qemu 0.9.1-6 (low; http://bugs.debian.org/496394 )
  - rancid 2.3.2~a8-2 (low; http://bugs.debian.org/496426 )
  - vdr 1.6.0-6 (low; http://bugs.debian.org/496421 )
  - lazarus 0.9.24-0-11 (low )
  - crossfire-maps 1.11.0-2 (low )

For reference, the technique and the script can be found in the relevant 
thread on debian-devel:
http://thread.gmane.org/gmane.linux.debian.devel.general/130960/focus=131003
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-26 12:00:06 UTC
We need to audit our tree for those issues which affect Gentoo.
Please mark them as blockers of this bug.
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-26 18:45:11 UTC
I filed bugs for the following packages:
  * rkhunter -> app-forensics/rkhunter, bug 235798
  * twiki -> www-apps/twiki, bug 235802
  * mafft -> sci-biology/mafft, bug 235804
  * xen-3 -> app-emulation/xen, bug 235805
  * mgetty -> net-dialup/mgetty, bug 235806
  * aview -> media-gfx/aview, bug 235808
  * fwbuilder -> net-firewall/fwbuilder, bug 235809
  * postfix -> mail-mta/postfix, bug 235811
  * dtc-common -> sys-apps/dtc, bug 235812
  * r-base -> dev-lang/R, bug 235822
  * openoffice.org -> app-office/openoffice, bug 235824
  * qemu -> app-emulation/qemu, bug 235826
  * vdr -> media-video/vdr, bug 235827
  * lazarus -> dev-lang/lazarus, bug 235828

We don't ship these packages:
  * scratchbox
  * realtimebattle
  * mgt
  * sympa
  * sng
  * feta
  * caudium
  * cdcontrol
  * sgml2x
  * liguidsoap
  * xmcd
  * r-base-core-ra
  * rancid

To check:
  * xcal -> x11-misc/xcalendar?
  * crossfire-maps -> games-roguelike/crossfire-client?
                      games-server/crossfire-server?

I think this was it... now to audit the individual packages...
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-26 18:49:27 UTC
We all love bugzie... now it killed all blockers of this bug. Re-adding. Sorry for the spam...
Comment 4 Arvid Norlander 2008-08-28 10:54:49 UTC
(In reply to comment #2)
> To check:
>   * xcal -> x11-misc/xcalendar?
>   * crossfire-maps -> games-roguelike/crossfire-client?
>                       games-server/crossfire-server?
As a crossfire developer I can say that the issue would be part of the server package, however anyone running a server should use the -tmpdir switch to set the server to use a private temporary directory, it is the recommended way to work around it upstream. IIRC however all cases use open() with O_EXCL so there shouldn't be an issue with that in the current version.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-08-30 13:17:07 UTC
(In reply to comment #4)
> anyone running a server should use the -tmpdir switch to set
> the server to use a private temporary directory, it is the recommended way to
> work around it upstream. IIRC however all cases use open() with O_EXCL so there
> shouldn't be an issue with that in the current version.

Let's discuss this on bug 236205. 

Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-10-07 18:01:45 UTC
I got a complete list of bugs from the debian folks, here is an overview:

* aegis
CVE:
DEBIAN: http://bugs.debian.org/496402
DEBIAN: http://bugs.debian.org/496400
GENTOO: #0
FILES: bng_dvlpd.sh, bng_rvwd.sh, awt_dvlp.sh, awt_intgrtn.sh, aegis.cgi
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aegis
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aegis-web
URL: http://sourceforge.net/tracker/index.php?func=detail&aid=2079025&group_id=224&atid=100224

* ampache
CVE: CVE-2008-3929
DEBIAN: http://bugs.debian.org/496369
GENTOO: #237483
FILES: gather-messages.sh
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ampache
NOTE: the script is only used when translating ampache to a new language

* apertium
CVE: TODO
DEBIAN: http://bugs.debian.org/496395
GENTOO: #0
FILES: apertium-gen-deformat, apertium-gen-reformat, apertium
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/apertium

* aptoncd
CVE: TODO
DEBIAN: http://bugs.debian.org/496390
GENTOO: #0
FILES: xmlfile.py
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aptoncd

* arb-common
CVE: TODO
DEBIAN: http://bugs.debian.org/496396
GENTOO: #0
FILES: arb_fastdnaml, dszmconnect.pl
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/arb-common

* audiolink
CVE: 
DEBIAN: http://bugs.debian.org/496433
GENTOO: #0
FILES: audiolink
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/audiolink

* aview
CVE: 
DEBIAN: http://bugs.debian.org/496422
GENTOO: #235808
FILES: asciiview
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aview

* bulmages-servers
CVE: 
DEBIAN: http://bugs.debian.org/496382
GENTOO: #0
FILES: actualizabulmacont, installbulmages-db, creabulmafact, creabulmacont, actualizabulmafact
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/bulmages-servers

* caudium
CVE: CVE-2008-3883
DEBIAN: http://bugs.debian.org/496404
GENTOO: #0
FILES: configvar
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/caudium

* cdcontrol
CVE: 
DEBIAN: http://bugs.debian.org/496438
GENTOO: #0
FILES: writtercontrol
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/cdcontrol

* cdrw-taper
CVE: 
DEBIAN: http://bugs.debian.org/496380
GENTOO: #0
FILES: amlabel-cdrw
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/cdrw-taper

* citadel
CVE: CVE-2008-3930
DEBIAN: http://bugs.debian.org/496359
GENTOO: #0
FILES: migrate_aliases.sh
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/citadel-server

* cman
CVE: 
DEBIAN: http://bugs.debian.org/496410
GENTOO: #0
FILES: fence_egenera
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/cman

* convirt
CVE: 
DEBIAN: http://bugs.debian.org/496419
GENTOO: #0
FILES: provision.sh, provision.sh, provision.sh, provision.sh, provision.sh, provision.sh, provision.sh
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/convirt

* crossfire
CVE: 
DEBIAN: http://bugs.debian.org/496358
GENTOO: #236205
FILES: combine.pl
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/crossfire-maps

* dhis-server
CVE: 
DEBIAN: http://bugs.debian.org/496388
GENTOO: #0
FILES: dhis-dummy-log-engine
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/dhis-server

* digitaldj
CVE: 
DEBIAN: http://bugs.debian.org/496399
GENTOO: #0
FILES: fest.pl
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/digitaldj

* dist
CVE: 
DEBIAN: http://bugs.debian.org/496412
GENTOO: #0
FILES: patcil, patdiff
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/dist

* dpkg-cross
CVE: 
DEBIAN: http://bugs.debian.org/496413
GENTOO: #0
FILES: gccross
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/dpkg-cross

* dtc
CVE: 
DEBIAN: http://bugs.debian.org/496362
GENTOO: #235812
FILES: accesslog.php, sa-wrapper
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/dtc-common

* emacs-jabber
CVE: 
DEBIAN: http://bugs.debian.org/496428
GENTOO: #0
FILES: emacs-jabber
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/emacs-jabber

* emacspeak
CVE: CVE-2008-4191
DEBIAN: http://bugs.debian.org/496431
GENTOO: #238575
FILES: extract-table.pl
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/emacspeak

* feta
CVE: CVE-2008-4440
DEBIAN: http://bugs.debian.org/496397
GENTOO: #0
FILES: to-upgrade
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/feta
NOTE: in to-upgrade plugin

* firehol
CVE: 
DEBIAN: http://bugs.debian.org/496424
GENTOO: #0
FILES: firehol
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/firehol

* fml
CVE: 
DEBIAN: http://bugs.debian.org/496370
GENTOO: #0
FILES: mead.pl
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/fml

* freeradius-dialupadmin
CVE: 
DEBIAN: http://bugs.debian.org/496389
GENTOO: #0
FILES: backup_radacct, clean_radacct, monthly_tot_stats, tot_stats, truncate_radacct
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/freeradius-dialupadmin

* freevo
CVE: 
DEBIAN: http://bugs.debian.org/496373
GENTOO: #0
FILES: freevo.real
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/freevo
NOTE: disabled in the source

* fwbuilder
CVE: 
DEBIAN: http://bugs.debian.org/496406
GENTOO: #235809
FILES: fwb_install
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/fwbuilder

* gccxml
CVE: 
DEBIAN: http://bugs.debian.org/496391
GENTOO: #0
FILES: find_flags
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/gccxml

* gdrae
CVE: 
DEBIAN: http://bugs.debian.org/496378
GENTOO: #0
FILES: gdrae
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/gdrae

* gpsdrive-scripts
CVE: 
DEBIAN: http://bugs.debian.org/496436
GENTOO: #0
FILES: geo-code
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/gpsdrive-scripts

* honeyd
CVE: CVE-2008-3928
DEBIAN: http://bugs.debian.org/496365
GENTOO: #237481
FILES: test.sh
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/honeyd-common
NOTE: 

* ibackup
CVE: 
DEBIAN: http://bugs.debian.org/496432
GENTOO: #0
FILES: ibackup
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ibackup

* impose+
CVE: 
DEBIAN: http://bugs.debian.org/496435
GENTOO: #0
FILES: impose
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/impose+

* konwert
CVE: 
DEBIAN: http://bugs.debian.org/496379
GENTOO: #0
FILES: any-UTF8
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/konwert-filters

* lazarus
CVE: 
DEBIAN: http://bugs.debian.org/496377
GENTOO: #235828
FILES: create_lazarus_export_tgz.sh
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/lazarus-src

* liguidsoap
CVE: 
DEBIAN: http://bugs.debian.org/496360
GENTOO: #0
FILES: liguidsoap.py
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/liguidsoap

* linux-patch-openswan
CVE: 
DEBIAN: http://bugs.debian.org/496376
GENTOO: #0
FILES: maysnap, maytest
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/linux-patch-openswan

* linuxtrade
CVE: 
DEBIAN: http://bugs.debian.org/496372
GENTOO: #0
FILES: linuxtrade.bwkvol, linuxtrade.wn, moneyam.helper
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/linuxtrade

* lmbench
CVE: 
DEBIAN: http://bugs.debian.org/496427
GENTOO: #0
FILES: rccs, STUFF
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/lmbench

* ltp-network-test
CVE: 
DEBIAN: http://bugs.debian.org/496411
GENTOO: #0
FILES: ftp_setup_vsftp_conf, nfs_fsstress.sh
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ltp-network-test

* lustre
CVE: 
DEBIAN: http://bugs.debian.org/496371
GENTOO: #0
FILES: runiozone
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/lustre-tests

* mafft
CVE: 
DEBIAN: http://bugs.debian.org/496366
GENTOO: #235804
FILES: mafft-homologs
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/mafft

* mgetty
CVE: 
DEBIAN: http://bugs.debian.org/496403
GENTOO: #235806
FILES: faxspool
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/mgetty-fax

* mgt
CVE: 
DEBIAN: http://bugs.debian.org/496434
GENTOO: #0
FILES: mailgo
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/mgt

* mon
CVE: [requested]
DEBIAN: http://bugs.debian.org/496398
GENTOO: #0
FILES: test.alert
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/mon

* myspell
CVE: 
DEBIAN: http://bugs.debian.org/496392
GENTOO: #0
FILES: i2myspell
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/myspell-tools

* netmrg
CVE: 
DEBIAN: http://bugs.debian.org/496384
GENTOO: #0
FILES: rrdedit
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/netmrg

* newsgate
CVE: 
DEBIAN: http://bugs.debian.org/496437
GENTOO: #0
FILES: mkmailpost
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/newsgate

* ogle
CVE: 
DEBIAN: http://bugs.debian.org/496425
DEBIAN: http://bugs.debian.org/496420
GENTOO: #0
FILES: ogle_audio_debug, ogle_cli_debug, ogle_ctrl_debug, ogle_gui_debug, ogle_mpeg_ps_debug, ogle_mpeg_vs_debug, ogle_nav_debug, ogle_vout_debug
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ogle
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ogle-mmx
NOTE: This only affects debugging scripts not present in standard path

* openoffice.org
CVE: 
DEBIAN: http://bugs.debian.org/496361
GENTOO: #235824
FILES: senddoc
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/openoffice.org-common
	[etch] - openoffice.org <not-affected> (Vulnerable code not present)
	NOTE: also not present in 3.0.0, only in 2.4.1. Fix pending upload.

* openswan
CVE: CVE-2008-4190
DEBIAN: http://bugs.debian.org/496374
GENTOO: #238574
FILES: livetest
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/openswan

* plait
CVE: CVE-2008-4085
DEBIAN: http://bugs.debian.org/496381
GENTOO: #0
FILES: plait, plaiter
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/plait

* postfix
CVE: 
DEBIAN: http://bugs.debian.org/496401
GENTOO: #235811
FILES: postfix_groups.pl
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/postfix
NOTE: Not enabled by default, needs manual modification of a script

* qemu
CVE: 
DEBIAN: http://bugs.debian.org/496394
GENTOO: #235826
FILES: qemu-make-debian-root
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/qemu

* radiance
CVE: 
DEBIAN: http://bugs.debian.org/496433
GENTOO: #0
FILES: optics2rad, pdelta, dayfact, raddepend
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/radiance

* rancid
CVE: 
DEBIAN: http://bugs.debian.org/496426
GENTOO: #0
FILES: getipacctg
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/rancid-util

* R
CVE: CVE-2008-3931
DEBIAN: http://bugs.debian.org/496418
DEBIAN: http://bugs.debian.org/496363
GENTOO: #235822
FILES: javareconf, javareconf.orig
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/r-base-core
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/r-base-core-ra

* rccp
CVE: 
DEBIAN: http://bugs.debian.org/496364
GENTOO: #0
FILES: delqueueask
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/rccp

* realtimebattle
CVE: 
DEBIAN: http://bugs.debian.org/496385
GENTOO: #0
FILES: perl.robot
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/realtimebattle-common

* rkhunter
CVE: 
DEBIAN: http://bugs.debian.org/496375
GENTOO: #235798
FILES: rkhunter
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/rkhunter

* scilab-bin
CVE: 
DEBIAN: http://bugs.debian.org/496414
GENTOO: #0
FILES: scilink, scidoc, scidem
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/scilab-bin

* scratchbox2
CVE: 
DEBIAN: http://bugs.debian.org/496409
GENTOO: #0
FILES: dpkg-checkbuilddeps, sb2-check-pkg-mappings
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/scratchbox2

* sgml2x
CVE: 
DEBIAN: http://bugs.debian.org/496368
GENTOO: #0
FILES: rlatex
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/sgml2x

* sng
CVE: 
DEBIAN: http://bugs.debian.org/496407
GENTOO: #0
FILES: sng_regress
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/sng

* sympa
CVE: 
DEBIAN: http://bugs.debian.org/494969
DEBIAN: http://bugs.debian.org/496405
GENTOO: #0
FILES: wwsympa.fcgi, sympa.pl
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/sympa

* tiger
CVE: CVE-2008-3927
DEBIAN: http://bugs.debian.org/496415
GENTOO: #0
FILES: genmsgidx
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/tiger
NOTE: the script is only used during build time


* vdr
CVE: 
DEBIAN: http://bugs.debian.org/496421
GENTOO: #235827
FILES: vdrleaktest
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/vdr-dbg

* wims
CVE: 
DEBIAN: http://bugs.debian.org/496387
GENTOO: #0
FILES: coqweb, account.sh
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/wims

* xastir
CVE: 
DEBIAN: http://bugs.debian.org/496383
GENTOO: #0
FILES: get-maptools.sh, get_shapelib.sh
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/xastir

* xcal
CVE: 
DEBIAN: http://bugs.debian.org/496393
GENTOO: #0
FILES: pscal
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/xcal

* xen
CVE: 
DEBIAN: http://bugs.debian.org/496367
GENTOO: #235805
FILES: qemu-dm.debug
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/xen-utils-3.2-1

* xmcd
CVE: 
DEBIAN: http://bugs.debian.org/496416
GENTOO: #0
FILES: ncsarmt, ncsawrap
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/xmcd




* bk2site
CVE: 
DEBIAN: http://bugs.debian.org/496430
GENTOO: #0
FILES: redirect.pl
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/bk2site
NOTE: requires code change, $debug = 1


* initramfs-tools
CVE: 
DEBIAN: http://bugs.debian.org/496386
GENTOO: #0
FILES: init
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/initramfs-tools

* sendmail-base
CVE: CVE-2003-0308
DEBIAN: http://bugs.debian.org/496408
GENTOO: #0
FILES: checksendmail, expn
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/sendmail-base
NOTE: Code path not run

* printfilters-ppd
CVE: 
DEBIAN: http://bugs.debian.org/496417
GENTOO: #0
FILES: master-filter
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/printfilters-ppd

* datafreedom-perl
CVE: 
DEBIAN: http://bugs.debian.org/496429
GENTOO: #0
FILES: dfxml-invoice
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/datafreedom-perl

Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-08 19:51:18 UTC
I found one in sys-cluster/fence-2.02.00-r1 (belongs to cman-2.02.00-r1, but our fence_egenera does not have CVE-2008-4192), see #240576
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-05 22:17:01 UTC
aegis: CVE-2008-4938 / #245760
emacs-jabber: CVE-2008-4952 / #245761
gccxml: CVE-2008-4957 / #245765
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-06 09:17:37 UTC
The bug in emacs-jabber (CVE-2008-4952 / #245761) is debian specific and exists only in their installer.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 02:51:47 UTC
ogle: CVE-2008-4976 / #245921
scilab: CVE-2008-4983 / #245922
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 22:19:24 UTC
firehol: CVE-2008-4953 / #246013
lmbench: CVE-2008-4968 / #246015
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-08 14:49:49 UTC
initramfs-tools: CVE-2008-4996 / we do not ship those
twiki: CVE-2008-4998 / #235802

And we have a different symlink bug:
app-emulation/xen: CVE-2008-4993 / #246068


Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-09 20:09:56 UTC
freevo:	CVE-2008-4955
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-11 00:42:21 UTC
dev-lang/lazarus: CVE-2008-5007 / #235828
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-25 09:57:16 UTC
I added the dependencies:
virtualbox: 248750 / CVE requested
sys-fs/ecryptfs-utils: 248058 / CVE-2008-5188
app-mobilephone/smsclient: 247483 / CVE-2008-5155
app-pda/p3nfs: 247481 / CVE-2008-5154
sci-visualization/mayavi: 247479 / CVE-2008-5151
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-10 21:36:50 UTC
net-dialup/ppp-2.4.4-r21 (/etc/ppp/ip-up.d/40-dns.sh) #250553 / this is LIKE CVE-2008-5367, but not the same issue.

app-misc/muttprint<=0.72d #250554 / CVE-2008-5368
Comment 17 stupendoussteve 2008-12-10 22:50:13 UTC
Added blockers:
app-misc/screenie-1.30.0: CVE-2008-5371 / #250476

media-sound/cmus-2.2.0: CVE-2008-5375 / #250474

app-text/tkman <= 2.2: CVE-2008-5137 / #247540 - Does not have a maintainer/herd
Comment 18 Nico R. 2009-01-21 20:53:55 UTC
Shouldn’t this bug /depend on/ instead of /block/ bug 247986 and bug 251316?
Comment 19 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-22 19:34:01 UTC
All blockers are done. 

Closing.