Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 367891 (CVE-2011-1920) - <sys-devel/pmake-1.111.3.1: Insecure temporary file usage (CVE-2011-1920)
Summary: <sys-devel/pmake-1.111.3.1: Insecure temporary file usage (CVE-2011-1920)
Status: RESOLVED FIXED
Alias: CVE-2011-1920
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-18 02:30 UTC by Tim Sammut (RETIRED)
Modified: 2013-10-28 11:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-05-18 02:30:30 UTC
From the Debian bug at $URL:

/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary
files insecurely, with predictable names (/tmp/_depend<PID>), and
without using $TMPDIR.

To reproduce, run the depend target in a BSD package like csh:

    /tmp/csh-20070713$ pmake -dx depend 2>&1 | grep /tmp/_depend
    + TMP=/tmp/_depend7338
    + mv /tmp/_depend7338 .depend

This applies to both lenny and squeeze.  Upstream is not affected as the
code was eliminated back in 2003:

    <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk#rev1.240>
    <http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk#rev1.193>

Patch to use mktemp(1):

...

Even though the Debian bug says that upstream is not affected, I just checked our =sys-devel/pmake-1.111.1-r1 and it looks affected.
Comment 1 Alexis Ballier gentoo-dev 2011-07-07 20:17:52 UTC
pmake-1.111.3.1 has the fix
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-07-08 04:29:27 UTC
(In reply to comment #1)
> pmake-1.111.3.1 has the fix

Great, thanks.

Arches, please test and mark stable:
=sys-devel/pmake-1.111.3.1
Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-07-08 04:49:05 UTC
amd64 ok
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-07-08 10:19:24 UTC
ditto
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2011-07-08 11:48:54 UTC
x86 stable. Thanks
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-07-09 07:38:07 UTC
ppc/ppc64 stable
Comment 7 Markus Meier gentoo-dev 2011-07-10 10:32:00 UTC
arm stable
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-07-10 14:21:05 UTC
amd64 done. Thanks Agostino and Ian
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-07-10 14:28:41 UTC
alpha/ia64/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-07-10 14:50:03 UTC
Thanks, folks. GLSA Vote: yes.
Comment 11 Naohiro Aota gentoo-dev 2011-08-05 12:01:21 UTC
Have this gone to GLSA or not yet? Is there any actions bsd team should take?
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 17:25:35 UTC
(In reply to comment #11)
> Have this gone to GLSA or not yet? Is there any actions bsd team should take?

Hi, Naohiro.

There is no action for the bsd team. The security team has it from here. Thanks.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:19:31 UTC
Vote: YES. New GLSA request filed.
Comment 14 Alexis Ballier gentoo-dev 2013-08-27 18:14:46 UTC
nothing left to do for bsd
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 11:50:58 UTC
This issue was resolved and addressed in
 GLSA 201310-17 at http://security.gentoo.org/glsa/glsa-201310-17.xml
by GLSA coordinator Sergey Popov (pinkbyte).