Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 388867 - <media-video/minitube-1.6: Insecure temporary file
Summary: <media-video/minitube-1.6: Insecure temporary file
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on: 388871
Blocks:
  Show dependency tree
 
Reported: 2011-10-29 16:31 UTC by Markos Chandras (RETIRED)
Modified: 2012-03-16 12:46 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markos Chandras (RETIRED) gentoo-dev 2011-10-29 16:31:10 UTC
Hi all, 

As described in bug #377929 minitube-1.5 suffers from insecure temporary file vulnerability which could lead to DOS attack. The bug has been fixed in minitube-1.6 which is now on portage. I strongly suggest to perform a 0 day stabilization on this version. If you agree please CC arches.
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2011-10-29 16:32:31 UTC
Just to clarify, 1.5-r1 has a temporary (badly coded but still better than nothing) fix which was rejected by upstream.
Comment 2 Agostino Sarubbo gentoo-dev 2011-10-29 16:40:24 UTC
Thanks Markos.

Arches, please test and mark stable:

=media-video/minitube-1.6
target KEYWORDS : "amd64 x86"
Comment 3 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-10-29 17:34:57 UTC
amd64: pass

NB: fails with linguas fr, ar... can those be disabled on the fly or fixed ?
Comment 4 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-10-29 17:40:25 UTC
> NB: fails with linguas fr, ar... can those be disabled on the fly or fixed ?

ar works, my bad... fr doesn't
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-30 12:29:07 UTC
amd64 ok
Comment 6 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-10-30 15:59:00 UTC
amd64: pass
Comment 7 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2011-10-30 16:04:52 UTC
amd64 : Ok
Comment 8 Tony Vroon gentoo-dev 2011-11-01 10:49:53 UTC
+  01 Nov 2011; Tony Vroon <chainsaw@gentoo.org> minitube-1.6.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo,
+  Elijah "Armageddon" El Lazkani & Tomáš "Mepho" Pružina in security bug
+  #388867.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-11-02 14:46:03 UTC
x86 stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-11-04 22:52:37 UTC
Thanks, folks. GLSA vote: yes.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-06 21:07:24 UTC
Vote: yes. 

Created new GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-03-16 12:46:20 UTC
This issue was resolved and addressed in
 GLSA 201203-18 at http://security.gentoo.org/glsa/glsa-201203-18.xml
by GLSA coordinator Sean Amoss (ackle).