Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 247538 (CVE-2008-5148) - sci-electronics/geda <1.4.0-r1 sch2eaglepos.sh insecure temporary file creation (CVE-2008-5148)
Summary: sci-electronics/geda <1.4.0-r1 sch2eaglepos.sh insecure temporary file creati...
Status: RESOLVED FIXED
Alias: CVE-2008-5148
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-19 04:29 UTC by stupendoussteve
Modified: 2009-03-07 16:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description stupendoussteve 2008-11-19 04:29:44 UTC
sch2eaglepos.sh in geda-gnetlist 1.4.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/##### temporary file.

geda-gnetlist 1.4.0 is pulled in with the geda-1.4.0 package. 

Upstream appears to have an update to 1.4.1.20080929.

Reproducible: Always
Comment 1 Denis Dupeyron gentoo-dev 2008-11-20 12:55:47 UTC
OK, I'll have a look at it. I'm normally away right now but I'm going to have some unexpected availability in the coming days.

Denis.
Comment 3 Denis Dupeyron gentoo-dev 2008-11-30 21:11:12 UTC
The fix is now in CVS. Sorry for the delay.

Security, feel free to go forward and close this bug whenever you want.

Denis.
Comment 4 stupendoussteve 2008-12-08 19:52:19 UTC
Arches please test and stabilize the fixed version.
Comment 5 stupendoussteve 2008-12-08 19:53:21 UTC
Lets try this again...

Arches please test and stabilize the fixed version.
Comment 6 stupendoussteve 2008-12-08 19:55:08 UTC
To clarify, fixed version is geda-1.4.1, target keywords "amd64 ppc sparc x86"

Thanks.
Comment 7 Denis Dupeyron gentoo-dev 2008-12-08 22:26:24 UTC
(In reply to comment #6)
> To clarify, fixed version is geda-1.4.1, target keywords "amd64 ppc sparc x86"

No. I fixed 1.4.0 and used the same sed for 1.4.1 when I added it, which was after fixing 1.4.0. If arches want to stabilize 1.4.1 they have my blessing (although it hasn't been in the tree for a month yet, far from that), but that has nothing to do with the current security issue and should probably be dealt with in another bug.

Denis.
Comment 8 Christian Hoffmann (RETIRED) gentoo-dev 2008-12-08 22:47:47 UTC
Um, do I get this right that you've changed the current stable ebuild to fix that bug? I highly doubt this was a good idea. First, it could've lead to breakage (maybe arch-specific), which would not have been caught by the arch testing process.
Luckily, this has apparently not been the case, but one issue is still remaining: We can't give users sane instructions how to fix that bug -- remerge the package? Does not sound like a good idea.

Please either provide an -r1 version of the 1.4.0 ebuild (as an exact copy, not sure about KEYWORDS then though) or give your explicit ok for stabling 1.4.1 and avoid changing stable ebuilds (or maybe non-p.mask'ed packages in general) in the future, especially in case of security problems.

Sorry if I got this all wrong, please don't feel offended, I'm just trying to get the bug resolved properly. :)

Thanks ;)

Removing arches and reverting whiteboard to [ebuild] until I / somebody else knows what exactly is the case. :)
Comment 9 Denis Dupeyron gentoo-dev 2008-12-08 23:18:32 UTC
(In reply to comment #8)
> Sorry if I got this all wrong, please don't feel offended, I'm just trying to
> get the bug resolved properly. :)

No worries, I clearly screwed up. I'm currently away and fixed that from my hotel room and forgot to revbump in the process. Feel free to revbump now if you want, or I'll do it in 14 hours when I'll have a better connection.

Sorry about this.

Denis.
Comment 10 Denis Dupeyron gentoo-dev 2008-12-10 18:07:46 UTC
(In reply to comment #8)
> Please either provide an -r1 version of the 1.4.0 ebuild (as an exact copy, not
> sure about KEYWORDS then though) or give your explicit ok for stabling 1.4.1
> and avoid changing stable ebuilds (or maybe non-p.mask'ed packages in general)
> in the future, especially in case of security problems.

Done, and straight to stable as the change is really minor in a rarely used function of a package used by few people only.

Sorry again about the mess.

Denis.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:58:59 UTC
The script is installed to /usr/bin, so I vote YES.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-11 19:09:11 UTC
I vote no, as it's "just" a symlink attack on a script which is barely used.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-13 17:59:04 UTC
yes too, request filed.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 16:28:14 UTC
GLSA 200903-08