Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 237481 (CVE-2008-3928) - net-analyzer/honeyd < 1.5c-r1 test.sh insecure temporary file creation (CVE-2008-3928)
Summary: net-analyzer/honeyd < 1.5c-r1 test.sh insecure temporary file creation (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2008-3928
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3? [glsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-09-12 13:58 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-13 13:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 13:58:44 UTC 
CVE-2008-3928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3928):
  test.sh in Honeyd 1.5c might allow local users to overwrite arbitrary
  files via a symlink attack on temporary files.
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2008-09-15 17:28:55 UTC 
I've commited honeyd-1.5c-r1 which should fix this issue. The patch was taken from debian and basically it makes test.sh use /var/log instead of /tmp for log files. Please review and CC arch teams if everything is correct.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:41:04 UTC 
Arches, please test and mark stable:
=net-analyzer/honeyd-1.5c-r1
Target keywords : "amd64 sparc x86"
Comment 3 Markus Meier gentoo-dev 2008-09-20 13:02:26 UTC 
amd64/x86 stable
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-09-20 13:47:52 UTC 
sparc stable, closing
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2008-09-20 14:45:32 UTC 
D'oh, sorry
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-25 18:27:41 UTC 
time for glsa decision, I vote yes.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-18 20:31:39 UTC 
YES too, request filed.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-13 13:38:19 UTC 
GLSA 200812-12, thanks everyone, sorry about the "delay".