Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 250476 (CVE-2008-5371) - <app-misc/screenie-1.30.0-r1 symlink attack (CVE-2008-5371)
Summary: <app-misc/screenie-1.30.0-r1 symlink attack (CVE-2008-5371)
Status: RESOLVED FIXED
Alias: CVE-2008-5371
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-12-10 04:59 UTC by stupendoussteve
Modified: 2009-09-09 13:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description stupendoussteve 2008-12-10 04:59:00 UTC 
From CVE-2008-5371 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5371)
 screenie in screenie 1.30.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.screenie.##### temporary file.

Reproducible: Always
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-22 19:02:04 UTC 
I asked Marc, if he is getting this fixed, and he replied:


Sorry Craig, I do not have time to make changes on my OSS projects anymore, therefore I released the tool as OSS.

thanks
Marc 



Debian has a patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509332#10

Ali, can you have a look at this?
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-08 16:19:12 UTC 
Arches, please test and mark stable:
=app-misc/screenie-1.30.0-r1
Target keywords : "amd64 hppa ia64 sparc x86"


+*screenie-1.30.0-r1 (08 Jun 2009)
+
+  08 Jun 2009; Alex Legler <a3li@gentoo.org> +screenie-1.30.0-r1.ebuild,
+  +files/screenie-CVE-2008-5371.patch:
+  Non-maintainer commit: Applying patch for CVE-2008-5371, bug 250476.
+
Comment 3 Ferris McCormick (RETIRED) gentoo-dev 2009-06-08 17:01:41 UTC 
Sparc stable.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-08 19:07:27 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-08 21:13:45 UTC 
Stable for HPPA.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2009-06-09 14:39:44 UTC 
ia64 stable
Comment 7 Markus Meier gentoo-dev 2009-06-10 19:04:15 UTC 
amd64 stable, all arches done.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-10 19:44:08 UTC 
Vulnerable version removed.

GLSA voting, please.
As the Debian Symlink vulnerabilities usually got a GLSA, I vote YES.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 22:09:29 UTC 
Yes, too. Request filed.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-09 13:34:58 UTC 
GLSA 200909-09