Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285861 (CVE-2009-4664) - <net-firewall/fwbuilder-3.0.7 Insecure temporary file creation (CVE-2009-4664)
Summary: <net-firewall/fwbuilder-3.0.7 Insecure temporary file creation (CVE-2009-4664)
Status: RESOLVED FIXED
Alias: CVE-2009-4664
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://www.fwbuilder.org/docs/firewal...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-21 20:45 UTC by Alex Legler (RETIRED)
Modified: 2012-01-23 20:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
3.0.7-secure-mktemp.patch (3.0.7-secure-mktemp.patch,987 bytes, patch)
2009-11-12 09:34 UTC, Tiziano Müller (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-21 20:45:05 UTC
Upstream release notes:
Fixed security issue with temporary file handling in the generated iptables script. The problem only affects Linux systems where Firewall Builder is used to generate static routing configuration. The problem exists in Firewall Builder versions 3.0.4, 3.0.5, 3.0.6

3.0.7 was released to fix this issue, however in https://bugzilla.redhat.com/show_bug.cgi?id=524588, Jan Lieskovsky mentioned that the fix is not complete.
Upstream is informed. Let's wait for a reaction.
Comment 1 Tiziano Müller (RETIRED) gentoo-dev 2009-11-12 09:34:50 UTC
Created attachment 209994 [details, diff]
3.0.7-secure-mktemp.patch

I just did a version bump including a patch written by me to fix the security issue.
Comment 2 Tiziano Müller (RETIRED) gentoo-dev 2009-11-12 09:35:51 UTC
Package compiles and runs fine here with the mentioned patch.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:29:45 UTC
Arches, please test and mark stable:
=net-firewall/fwbuilder-3.0.7
Target keywords : "amd64 ppc ppc64 x86"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2010-03-08 17:43:39 UTC
ppc64 done
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-08 17:59:54 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2010-03-08 20:15:53 UTC
amd64 stable
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 21:55:16 UTC
Marked ppc stable.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 13:15:56 UTC
glsa request filed.
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2011-03-30 20:52:37 UTC
All affected versions removed from tree
Comment 10 Joshua Kinard gentoo-dev 2011-12-24 19:48:03 UTC
fwbuilder-3.0.7 is no longer in the tree.  Closing as OBSOLETE.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-12-27 05:24:53 UTC
Please do not close security bug--we need to publish a GLSA for this--thanks.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:37:10 UTC
This issue was resolved and addressed in
 GLSA 201201-11 at http://security.gentoo.org/glsa/glsa-201201-11.xml
by GLSA coordinator Sean Amoss (ackle).