See $URL and bug 235770.
Yes, we ship /usr/bin/mafft-homologs.rb and it's vulnerable. I checked version 6.240, the vulnerable code is in line 37 and 38 of the mentioned script. There are way more occurences though. It allows for overwriting arbitrary files with a fixed content in the first cases. Package has no stable version and is only keyworded for ~x86. According to $URL, debian has developed a patch, see [1]. [1] http://svn.debian.org/wsvn/debian-med/trunk/packages/mafft/trunk/debian/patches/Securisation-by-mktemp-usage.patch?op=file&rev=0&sc=0
I'll handle this one.
Sorry, it turns out that I just don't have the time right now to fix this, because I just had a baby Monday. Could someone else please handle it?
(In reply to comment #3) > Sorry, it turns out that I just don't have the time right now to fix this, > because I just had a baby Monday. Could someone else please handle it? > Congratulations, Donnie! I'll take care of this one for you. Best, Markus
Created attachment 164660 [details, diff] suggested patch to fix insecure tempfile handling I've attached a patch to fix the insecure tempfile issues for further review. It is taken mostly from the fix developed by the debian folks together with mafft's upstream. The ruby code uses the Tempfile class which will also take care of removing the generated temporary files upon termination of the script. Any feedback would be welcome. Thanks, Markus
Markus, I didn't review the patch, but feel free to bump if it was coordinated with both upstream and Debian, and you verified it works.
Hi Robert, I've added mafft-6.240-r1 to the tree which contains this patch. All vulnerable ebuilds have been removed from the tree. Best, Markus
Thanks. ~arch-only packages are not subject to the GLSA process, closing as such.
*** Bug 245920 has been marked as a duplicate of this bug. ***