Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 297377 (CVE-2009-4193) - <sci-geosciences/merkaartor-0.17.2: symlink attack (CVE-2009-4193)
Summary: <sci-geosciences/merkaartor-0.17.2: symlink attack (CVE-2009-4193)
Status: RESOLVED FIXED
Alias: CVE-2009-4193
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks: 296279
  Show dependency tree
 
Reported: 2009-12-18 01:20 UTC by Stefan Behte (RETIRED)
Modified: 2011-06-12 18:33 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:20:31 UTC 
CVE-2009-4193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4193):
  Merkaartor 0.14 allows local users to append data to arbitrary files
  via a symlink attack on the /tmp/merkaartor.log temporary file.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:21:12 UTC 
No stable ebuild, so it's just ~3.
Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2010-01-17 13:12:58 UTC 
0.14 is not even in the tree yet.
leaving open and block the 0.14 bump request.

more links:
https://bugzilla.redhat.com/show_bug.cgi?id=544284
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548546
http://trac.openstreetmap.org/ticket/2320
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2010-06-24 11:45:18 UTC 
Still valid for versions >0.14 ?
There is another bump request for 0.16.1 #311127
Comment 4 Pinky 2010-09-22 09:39:54 UTC 
It's seems fixed (reported fixed in bugzilla and my test show that too)
Comment 5 Pinky 2011-04-18 22:37:45 UTC 
hallo, someone alive?
Comment 6 Tomáš Chvátal (RETIRED) gentoo-dev 2011-06-09 20:33:52 UTC 
0.17.2 is in main tree. No older versions around. This bug is thus not present in main tree. Feel free to close this.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-06-12 18:33:50 UTC 
(In reply to comment #6)
> 0.17.2 is in main tree. No older versions around. This bug is thus not present
> in main tree. Feel free to close this.

Great, thanks. Closing noglsa for ~arch only package.