From the Debian bug at $URL: /usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary files insecurely, with predictable names (/tmp/_depend<PID>), and without using $TMPDIR. To reproduce, run the depend target in a BSD package like csh: /tmp/csh-20070713$ pmake -dx depend 2>&1 | grep /tmp/_depend + TMP=/tmp/_depend7338 + mv /tmp/_depend7338 .depend This applies to both lenny and squeeze. Upstream is not affected as the code was eliminated back in 2003: <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk#rev1.240> <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk#rev1.193> Patch to use mktemp(1): ... Even though the Debian bug says that upstream is not affected, I just checked our =sys-devel/pmake-1.111.1-r1 and it looks affected.
pmake-1.111.3.1 has the fix
(In reply to comment #1) > pmake-1.111.3.1 has the fix Great, thanks. Arches, please test and mark stable: =sys-devel/pmake-1.111.3.1 Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86"
amd64 ok
ditto
x86 stable. Thanks
ppc/ppc64 stable
arm stable
amd64 done. Thanks Agostino and Ian
alpha/ia64/sparc stable
Thanks, folks. GLSA Vote: yes.
Have this gone to GLSA or not yet? Is there any actions bsd team should take?
(In reply to comment #11) > Have this gone to GLSA or not yet? Is there any actions bsd team should take? Hi, Naohiro. There is no action for the bsd team. The security team has it from here. Thanks.
Vote: YES. New GLSA request filed.
nothing left to do for bsd
This issue was resolved and addressed in GLSA 201310-17 at http://security.gentoo.org/glsa/glsa-201310-17.xml by GLSA coordinator Sergey Popov (pinkbyte).