Moritz Mühlenhoff writes: as part of the preparation of the upcoming Debian Lenny release someone checked the whole archive with a script for temp races and found a few. Below is the list of issues identified so far. More are pending, which haven't been checked for validity yet: - rkhunter 1.3.2-6 (low; http://bugs.debian.org/496375 ) - scratchbox2 1.99.0.24-2 (low; http://bugs.debian.org/496409 ) - realtimebattle 1.0.8-8 (low; http://bugs.debian.org/496385 ) - mgt 2.31-6 (low; http://bugs.debian.org/496434 ) - twiki 1:4.1.2-4 (low; http://bugs.debian.org/494648 ) - mafft <unfixed> (low; http://bugs.debian.org/496366 ) - xen-3 <unfixed> (low; http://bugs.debian.org/496367 ) - mgetty <unfixed> (low; http://bugs.debian.org/496403 ) - sympa <unfixed> (low; http://bugs.debian.org/496405; bug #494969 ) - sng 1.0.2-6 (low; http://bugs.debian.org/496407 ) - aview <unfixed> (low; http://bugs.debian.org/496422 ) - fwbuilder <unfixed> (low; http://bugs.debian.org/496406 ) - feta 1.4.16+nmu1 (low; http://bugs.debian.org/496397 ) - postfix <unfixed> (unimportant; http://bugs.debian.org/496401 ) NOTE: Not enabled by default, needs manual modification of a script - caudium <unfixed> (low; http://bugs.debian.org/496404 ) - cdcontrol <unfixed> (low; http://bugs.debian.org/496438 ) - sgml2x <unfixed> (low; http://bugs.debian.org/496368 ) - dtc-common <unfixed> (low; http://bugs.debian.org/496362 ) - liguidsoap <unfixed> (low; http://bugs.debian.org/496360 ) - xmcd 2.6-21 (low; http://bugs.debian.org/496416 ) - xcal 4.1-19 (low; http://bugs.debian.org/496393 ) - r-base 2.7.2-1 (low; http://bugs.debian.org/496418 ) - r-base-core-ra <unfixed> (low; http://bugs.debian.org/496363 ) - openoffice.org <unfixed> (low; http://bugs.debian.org/496361 ) [etch] - openoffice.org <not-affected> (Vulnerable code not present ) NOTE: also not present in 3.0.0, only in 2.4.1. Fix pending upload. - qemu 0.9.1-6 (low; http://bugs.debian.org/496394 ) - rancid 2.3.2~a8-2 (low; http://bugs.debian.org/496426 ) - vdr 1.6.0-6 (low; http://bugs.debian.org/496421 ) - lazarus 0.9.24-0-11 (low ) - crossfire-maps 1.11.0-2 (low ) For reference, the technique and the script can be found in the relevant thread on debian-devel: http://thread.gmane.org/gmane.linux.debian.devel.general/130960/focus=131003
We need to audit our tree for those issues which affect Gentoo. Please mark them as blockers of this bug.
I filed bugs for the following packages: * rkhunter -> app-forensics/rkhunter, bug 235798 * twiki -> www-apps/twiki, bug 235802 * mafft -> sci-biology/mafft, bug 235804 * xen-3 -> app-emulation/xen, bug 235805 * mgetty -> net-dialup/mgetty, bug 235806 * aview -> media-gfx/aview, bug 235808 * fwbuilder -> net-firewall/fwbuilder, bug 235809 * postfix -> mail-mta/postfix, bug 235811 * dtc-common -> sys-apps/dtc, bug 235812 * r-base -> dev-lang/R, bug 235822 * openoffice.org -> app-office/openoffice, bug 235824 * qemu -> app-emulation/qemu, bug 235826 * vdr -> media-video/vdr, bug 235827 * lazarus -> dev-lang/lazarus, bug 235828 We don't ship these packages: * scratchbox * realtimebattle * mgt * sympa * sng * feta * caudium * cdcontrol * sgml2x * liguidsoap * xmcd * r-base-core-ra * rancid To check: * xcal -> x11-misc/xcalendar? * crossfire-maps -> games-roguelike/crossfire-client? games-server/crossfire-server? I think this was it... now to audit the individual packages...
We all love bugzie... now it killed all blockers of this bug. Re-adding. Sorry for the spam...
(In reply to comment #2) > To check: > * xcal -> x11-misc/xcalendar? > * crossfire-maps -> games-roguelike/crossfire-client? > games-server/crossfire-server? As a crossfire developer I can say that the issue would be part of the server package, however anyone running a server should use the -tmpdir switch to set the server to use a private temporary directory, it is the recommended way to work around it upstream. IIRC however all cases use open() with O_EXCL so there shouldn't be an issue with that in the current version.
(In reply to comment #4) > anyone running a server should use the -tmpdir switch to set > the server to use a private temporary directory, it is the recommended way to > work around it upstream. IIRC however all cases use open() with O_EXCL so there > shouldn't be an issue with that in the current version. Let's discuss this on bug 236205.
I got a complete list of bugs from the debian folks, here is an overview: * aegis CVE: DEBIAN: http://bugs.debian.org/496402 DEBIAN: http://bugs.debian.org/496400 GENTOO: #0 FILES: bng_dvlpd.sh, bng_rvwd.sh, awt_dvlp.sh, awt_intgrtn.sh, aegis.cgi CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aegis CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aegis-web URL: http://sourceforge.net/tracker/index.php?func=detail&aid=2079025&group_id=224&atid=100224 * ampache CVE: CVE-2008-3929 DEBIAN: http://bugs.debian.org/496369 GENTOO: #237483 FILES: gather-messages.sh CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ampache NOTE: the script is only used when translating ampache to a new language * apertium CVE: TODO DEBIAN: http://bugs.debian.org/496395 GENTOO: #0 FILES: apertium-gen-deformat, apertium-gen-reformat, apertium CODE: http://dev.gentoo.org/~rbu/security/debiantemp/apertium * aptoncd CVE: TODO DEBIAN: http://bugs.debian.org/496390 GENTOO: #0 FILES: xmlfile.py CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aptoncd * arb-common CVE: TODO DEBIAN: http://bugs.debian.org/496396 GENTOO: #0 FILES: arb_fastdnaml, dszmconnect.pl CODE: http://dev.gentoo.org/~rbu/security/debiantemp/arb-common * audiolink CVE: DEBIAN: http://bugs.debian.org/496433 GENTOO: #0 FILES: audiolink CODE: http://dev.gentoo.org/~rbu/security/debiantemp/audiolink * aview CVE: DEBIAN: http://bugs.debian.org/496422 GENTOO: #235808 FILES: asciiview CODE: http://dev.gentoo.org/~rbu/security/debiantemp/aview * bulmages-servers CVE: DEBIAN: http://bugs.debian.org/496382 GENTOO: #0 FILES: actualizabulmacont, installbulmages-db, creabulmafact, creabulmacont, actualizabulmafact CODE: http://dev.gentoo.org/~rbu/security/debiantemp/bulmages-servers * caudium CVE: CVE-2008-3883 DEBIAN: http://bugs.debian.org/496404 GENTOO: #0 FILES: configvar CODE: http://dev.gentoo.org/~rbu/security/debiantemp/caudium * cdcontrol CVE: DEBIAN: http://bugs.debian.org/496438 GENTOO: #0 FILES: writtercontrol CODE: http://dev.gentoo.org/~rbu/security/debiantemp/cdcontrol * cdrw-taper CVE: DEBIAN: http://bugs.debian.org/496380 GENTOO: #0 FILES: amlabel-cdrw CODE: http://dev.gentoo.org/~rbu/security/debiantemp/cdrw-taper * citadel CVE: CVE-2008-3930 DEBIAN: http://bugs.debian.org/496359 GENTOO: #0 FILES: migrate_aliases.sh CODE: http://dev.gentoo.org/~rbu/security/debiantemp/citadel-server * cman CVE: DEBIAN: http://bugs.debian.org/496410 GENTOO: #0 FILES: fence_egenera CODE: http://dev.gentoo.org/~rbu/security/debiantemp/cman * convirt CVE: DEBIAN: http://bugs.debian.org/496419 GENTOO: #0 FILES: provision.sh, provision.sh, provision.sh, provision.sh, provision.sh, provision.sh, provision.sh CODE: http://dev.gentoo.org/~rbu/security/debiantemp/convirt * crossfire CVE: DEBIAN: http://bugs.debian.org/496358 GENTOO: #236205 FILES: combine.pl CODE: http://dev.gentoo.org/~rbu/security/debiantemp/crossfire-maps * dhis-server CVE: DEBIAN: http://bugs.debian.org/496388 GENTOO: #0 FILES: dhis-dummy-log-engine CODE: http://dev.gentoo.org/~rbu/security/debiantemp/dhis-server * digitaldj CVE: DEBIAN: http://bugs.debian.org/496399 GENTOO: #0 FILES: fest.pl CODE: http://dev.gentoo.org/~rbu/security/debiantemp/digitaldj * dist CVE: DEBIAN: http://bugs.debian.org/496412 GENTOO: #0 FILES: patcil, patdiff CODE: http://dev.gentoo.org/~rbu/security/debiantemp/dist * dpkg-cross CVE: DEBIAN: http://bugs.debian.org/496413 GENTOO: #0 FILES: gccross CODE: http://dev.gentoo.org/~rbu/security/debiantemp/dpkg-cross * dtc CVE: DEBIAN: http://bugs.debian.org/496362 GENTOO: #235812 FILES: accesslog.php, sa-wrapper CODE: http://dev.gentoo.org/~rbu/security/debiantemp/dtc-common * emacs-jabber CVE: DEBIAN: http://bugs.debian.org/496428 GENTOO: #0 FILES: emacs-jabber CODE: http://dev.gentoo.org/~rbu/security/debiantemp/emacs-jabber * emacspeak CVE: CVE-2008-4191 DEBIAN: http://bugs.debian.org/496431 GENTOO: #238575 FILES: extract-table.pl CODE: http://dev.gentoo.org/~rbu/security/debiantemp/emacspeak * feta CVE: CVE-2008-4440 DEBIAN: http://bugs.debian.org/496397 GENTOO: #0 FILES: to-upgrade CODE: http://dev.gentoo.org/~rbu/security/debiantemp/feta NOTE: in to-upgrade plugin * firehol CVE: DEBIAN: http://bugs.debian.org/496424 GENTOO: #0 FILES: firehol CODE: http://dev.gentoo.org/~rbu/security/debiantemp/firehol * fml CVE: DEBIAN: http://bugs.debian.org/496370 GENTOO: #0 FILES: mead.pl CODE: http://dev.gentoo.org/~rbu/security/debiantemp/fml * freeradius-dialupadmin CVE: DEBIAN: http://bugs.debian.org/496389 GENTOO: #0 FILES: backup_radacct, clean_radacct, monthly_tot_stats, tot_stats, truncate_radacct CODE: http://dev.gentoo.org/~rbu/security/debiantemp/freeradius-dialupadmin * freevo CVE: DEBIAN: http://bugs.debian.org/496373 GENTOO: #0 FILES: freevo.real CODE: http://dev.gentoo.org/~rbu/security/debiantemp/freevo NOTE: disabled in the source * fwbuilder CVE: DEBIAN: http://bugs.debian.org/496406 GENTOO: #235809 FILES: fwb_install CODE: http://dev.gentoo.org/~rbu/security/debiantemp/fwbuilder * gccxml CVE: DEBIAN: http://bugs.debian.org/496391 GENTOO: #0 FILES: find_flags CODE: http://dev.gentoo.org/~rbu/security/debiantemp/gccxml * gdrae CVE: DEBIAN: http://bugs.debian.org/496378 GENTOO: #0 FILES: gdrae CODE: http://dev.gentoo.org/~rbu/security/debiantemp/gdrae * gpsdrive-scripts CVE: DEBIAN: http://bugs.debian.org/496436 GENTOO: #0 FILES: geo-code CODE: http://dev.gentoo.org/~rbu/security/debiantemp/gpsdrive-scripts * honeyd CVE: CVE-2008-3928 DEBIAN: http://bugs.debian.org/496365 GENTOO: #237481 FILES: test.sh CODE: http://dev.gentoo.org/~rbu/security/debiantemp/honeyd-common NOTE: * ibackup CVE: DEBIAN: http://bugs.debian.org/496432 GENTOO: #0 FILES: ibackup CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ibackup * impose+ CVE: DEBIAN: http://bugs.debian.org/496435 GENTOO: #0 FILES: impose CODE: http://dev.gentoo.org/~rbu/security/debiantemp/impose+ * konwert CVE: DEBIAN: http://bugs.debian.org/496379 GENTOO: #0 FILES: any-UTF8 CODE: http://dev.gentoo.org/~rbu/security/debiantemp/konwert-filters * lazarus CVE: DEBIAN: http://bugs.debian.org/496377 GENTOO: #235828 FILES: create_lazarus_export_tgz.sh CODE: http://dev.gentoo.org/~rbu/security/debiantemp/lazarus-src * liguidsoap CVE: DEBIAN: http://bugs.debian.org/496360 GENTOO: #0 FILES: liguidsoap.py CODE: http://dev.gentoo.org/~rbu/security/debiantemp/liguidsoap * linux-patch-openswan CVE: DEBIAN: http://bugs.debian.org/496376 GENTOO: #0 FILES: maysnap, maytest CODE: http://dev.gentoo.org/~rbu/security/debiantemp/linux-patch-openswan * linuxtrade CVE: DEBIAN: http://bugs.debian.org/496372 GENTOO: #0 FILES: linuxtrade.bwkvol, linuxtrade.wn, moneyam.helper CODE: http://dev.gentoo.org/~rbu/security/debiantemp/linuxtrade * lmbench CVE: DEBIAN: http://bugs.debian.org/496427 GENTOO: #0 FILES: rccs, STUFF CODE: http://dev.gentoo.org/~rbu/security/debiantemp/lmbench * ltp-network-test CVE: DEBIAN: http://bugs.debian.org/496411 GENTOO: #0 FILES: ftp_setup_vsftp_conf, nfs_fsstress.sh CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ltp-network-test * lustre CVE: DEBIAN: http://bugs.debian.org/496371 GENTOO: #0 FILES: runiozone CODE: http://dev.gentoo.org/~rbu/security/debiantemp/lustre-tests * mafft CVE: DEBIAN: http://bugs.debian.org/496366 GENTOO: #235804 FILES: mafft-homologs CODE: http://dev.gentoo.org/~rbu/security/debiantemp/mafft * mgetty CVE: DEBIAN: http://bugs.debian.org/496403 GENTOO: #235806 FILES: faxspool CODE: http://dev.gentoo.org/~rbu/security/debiantemp/mgetty-fax * mgt CVE: DEBIAN: http://bugs.debian.org/496434 GENTOO: #0 FILES: mailgo CODE: http://dev.gentoo.org/~rbu/security/debiantemp/mgt * mon CVE: [requested] DEBIAN: http://bugs.debian.org/496398 GENTOO: #0 FILES: test.alert CODE: http://dev.gentoo.org/~rbu/security/debiantemp/mon * myspell CVE: DEBIAN: http://bugs.debian.org/496392 GENTOO: #0 FILES: i2myspell CODE: http://dev.gentoo.org/~rbu/security/debiantemp/myspell-tools * netmrg CVE: DEBIAN: http://bugs.debian.org/496384 GENTOO: #0 FILES: rrdedit CODE: http://dev.gentoo.org/~rbu/security/debiantemp/netmrg * newsgate CVE: DEBIAN: http://bugs.debian.org/496437 GENTOO: #0 FILES: mkmailpost CODE: http://dev.gentoo.org/~rbu/security/debiantemp/newsgate * ogle CVE: DEBIAN: http://bugs.debian.org/496425 DEBIAN: http://bugs.debian.org/496420 GENTOO: #0 FILES: ogle_audio_debug, ogle_cli_debug, ogle_ctrl_debug, ogle_gui_debug, ogle_mpeg_ps_debug, ogle_mpeg_vs_debug, ogle_nav_debug, ogle_vout_debug CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ogle CODE: http://dev.gentoo.org/~rbu/security/debiantemp/ogle-mmx NOTE: This only affects debugging scripts not present in standard path * openoffice.org CVE: DEBIAN: http://bugs.debian.org/496361 GENTOO: #235824 FILES: senddoc CODE: http://dev.gentoo.org/~rbu/security/debiantemp/openoffice.org-common [etch] - openoffice.org <not-affected> (Vulnerable code not present) NOTE: also not present in 3.0.0, only in 2.4.1. Fix pending upload. * openswan CVE: CVE-2008-4190 DEBIAN: http://bugs.debian.org/496374 GENTOO: #238574 FILES: livetest CODE: http://dev.gentoo.org/~rbu/security/debiantemp/openswan * plait CVE: CVE-2008-4085 DEBIAN: http://bugs.debian.org/496381 GENTOO: #0 FILES: plait, plaiter CODE: http://dev.gentoo.org/~rbu/security/debiantemp/plait * postfix CVE: DEBIAN: http://bugs.debian.org/496401 GENTOO: #235811 FILES: postfix_groups.pl CODE: http://dev.gentoo.org/~rbu/security/debiantemp/postfix NOTE: Not enabled by default, needs manual modification of a script * qemu CVE: DEBIAN: http://bugs.debian.org/496394 GENTOO: #235826 FILES: qemu-make-debian-root CODE: http://dev.gentoo.org/~rbu/security/debiantemp/qemu * radiance CVE: DEBIAN: http://bugs.debian.org/496433 GENTOO: #0 FILES: optics2rad, pdelta, dayfact, raddepend CODE: http://dev.gentoo.org/~rbu/security/debiantemp/radiance * rancid CVE: DEBIAN: http://bugs.debian.org/496426 GENTOO: #0 FILES: getipacctg CODE: http://dev.gentoo.org/~rbu/security/debiantemp/rancid-util * R CVE: CVE-2008-3931 DEBIAN: http://bugs.debian.org/496418 DEBIAN: http://bugs.debian.org/496363 GENTOO: #235822 FILES: javareconf, javareconf.orig CODE: http://dev.gentoo.org/~rbu/security/debiantemp/r-base-core CODE: http://dev.gentoo.org/~rbu/security/debiantemp/r-base-core-ra * rccp CVE: DEBIAN: http://bugs.debian.org/496364 GENTOO: #0 FILES: delqueueask CODE: http://dev.gentoo.org/~rbu/security/debiantemp/rccp * realtimebattle CVE: DEBIAN: http://bugs.debian.org/496385 GENTOO: #0 FILES: perl.robot CODE: http://dev.gentoo.org/~rbu/security/debiantemp/realtimebattle-common * rkhunter CVE: DEBIAN: http://bugs.debian.org/496375 GENTOO: #235798 FILES: rkhunter CODE: http://dev.gentoo.org/~rbu/security/debiantemp/rkhunter * scilab-bin CVE: DEBIAN: http://bugs.debian.org/496414 GENTOO: #0 FILES: scilink, scidoc, scidem CODE: http://dev.gentoo.org/~rbu/security/debiantemp/scilab-bin * scratchbox2 CVE: DEBIAN: http://bugs.debian.org/496409 GENTOO: #0 FILES: dpkg-checkbuilddeps, sb2-check-pkg-mappings CODE: http://dev.gentoo.org/~rbu/security/debiantemp/scratchbox2 * sgml2x CVE: DEBIAN: http://bugs.debian.org/496368 GENTOO: #0 FILES: rlatex CODE: http://dev.gentoo.org/~rbu/security/debiantemp/sgml2x * sng CVE: DEBIAN: http://bugs.debian.org/496407 GENTOO: #0 FILES: sng_regress CODE: http://dev.gentoo.org/~rbu/security/debiantemp/sng * sympa CVE: DEBIAN: http://bugs.debian.org/494969 DEBIAN: http://bugs.debian.org/496405 GENTOO: #0 FILES: wwsympa.fcgi, sympa.pl CODE: http://dev.gentoo.org/~rbu/security/debiantemp/sympa * tiger CVE: CVE-2008-3927 DEBIAN: http://bugs.debian.org/496415 GENTOO: #0 FILES: genmsgidx CODE: http://dev.gentoo.org/~rbu/security/debiantemp/tiger NOTE: the script is only used during build time * vdr CVE: DEBIAN: http://bugs.debian.org/496421 GENTOO: #235827 FILES: vdrleaktest CODE: http://dev.gentoo.org/~rbu/security/debiantemp/vdr-dbg * wims CVE: DEBIAN: http://bugs.debian.org/496387 GENTOO: #0 FILES: coqweb, account.sh CODE: http://dev.gentoo.org/~rbu/security/debiantemp/wims * xastir CVE: DEBIAN: http://bugs.debian.org/496383 GENTOO: #0 FILES: get-maptools.sh, get_shapelib.sh CODE: http://dev.gentoo.org/~rbu/security/debiantemp/xastir * xcal CVE: DEBIAN: http://bugs.debian.org/496393 GENTOO: #0 FILES: pscal CODE: http://dev.gentoo.org/~rbu/security/debiantemp/xcal * xen CVE: DEBIAN: http://bugs.debian.org/496367 GENTOO: #235805 FILES: qemu-dm.debug CODE: http://dev.gentoo.org/~rbu/security/debiantemp/xen-utils-3.2-1 * xmcd CVE: DEBIAN: http://bugs.debian.org/496416 GENTOO: #0 FILES: ncsarmt, ncsawrap CODE: http://dev.gentoo.org/~rbu/security/debiantemp/xmcd * bk2site CVE: DEBIAN: http://bugs.debian.org/496430 GENTOO: #0 FILES: redirect.pl CODE: http://dev.gentoo.org/~rbu/security/debiantemp/bk2site NOTE: requires code change, $debug = 1 * initramfs-tools CVE: DEBIAN: http://bugs.debian.org/496386 GENTOO: #0 FILES: init CODE: http://dev.gentoo.org/~rbu/security/debiantemp/initramfs-tools * sendmail-base CVE: CVE-2003-0308 DEBIAN: http://bugs.debian.org/496408 GENTOO: #0 FILES: checksendmail, expn CODE: http://dev.gentoo.org/~rbu/security/debiantemp/sendmail-base NOTE: Code path not run * printfilters-ppd CVE: DEBIAN: http://bugs.debian.org/496417 GENTOO: #0 FILES: master-filter CODE: http://dev.gentoo.org/~rbu/security/debiantemp/printfilters-ppd * datafreedom-perl CVE: DEBIAN: http://bugs.debian.org/496429 GENTOO: #0 FILES: dfxml-invoice CODE: http://dev.gentoo.org/~rbu/security/debiantemp/datafreedom-perl
I found one in sys-cluster/fence-2.02.00-r1 (belongs to cman-2.02.00-r1, but our fence_egenera does not have CVE-2008-4192), see #240576
aegis: CVE-2008-4938 / #245760 emacs-jabber: CVE-2008-4952 / #245761 gccxml: CVE-2008-4957 / #245765
The bug in emacs-jabber (CVE-2008-4952 / #245761) is debian specific and exists only in their installer.
ogle: CVE-2008-4976 / #245921 scilab: CVE-2008-4983 / #245922
firehol: CVE-2008-4953 / #246013 lmbench: CVE-2008-4968 / #246015
initramfs-tools: CVE-2008-4996 / we do not ship those twiki: CVE-2008-4998 / #235802 And we have a different symlink bug: app-emulation/xen: CVE-2008-4993 / #246068
freevo: CVE-2008-4955
dev-lang/lazarus: CVE-2008-5007 / #235828
I added the dependencies: virtualbox: 248750 / CVE requested sys-fs/ecryptfs-utils: 248058 / CVE-2008-5188 app-mobilephone/smsclient: 247483 / CVE-2008-5155 app-pda/p3nfs: 247481 / CVE-2008-5154 sci-visualization/mayavi: 247479 / CVE-2008-5151
net-dialup/ppp-2.4.4-r21 (/etc/ppp/ip-up.d/40-dns.sh) #250553 / this is LIKE CVE-2008-5367, but not the same issue. app-misc/muttprint<=0.72d #250554 / CVE-2008-5368
Added blockers: app-misc/screenie-1.30.0: CVE-2008-5371 / #250476 media-sound/cmus-2.2.0: CVE-2008-5375 / #250474 app-text/tkman <= 2.2: CVE-2008-5137 / #247540 - Does not have a maintainer/herd
Shouldn’t this bug /depend on/ instead of /block/ bug 247986 and bug 251316?
All blockers are done. Closing.