Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 395285 (CVE-2011-4617) - <dev-python/virtualenv-1.5.1 incorrect temp dir usage (CVE-2011-4617)
Summary: <dev-python/virtualenv-1.5.1 incorrect temp dir usage (CVE-2011-4617)
Status: RESOLVED FIXED
Alias: CVE-2011-4617
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-19 17:47 UTC by Agostino Sarubbo
Modified: 2012-06-22 16:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-12-19 17:47:32 UTC
From oss-security mailing list at $URL:

Description:
An insecure /tmp file handling was found in python-virtualenv

Solution:
There is a patch at upstream bug[1].


[1]: https://bitbucket.org/ianb/virtualenv/changeset/8be37c509fe5
Comment 1 Arfrever Frehtes Taifersar Arahesis 2011-12-19 21:53:59 UTC
The fix was released in virtualenv 1.5 on 2010-09-14.
Vulnerable versions were deleted from gentoo-x86 over 11 months ago.
Comment 2 Agostino Sarubbo gentoo-dev 2011-12-19 22:08:01 UTC
(In reply to comment #1)
> The fix was released in virtualenv 1.5 on 2010-09-14.
> Vulnerable versions were deleted from gentoo-x86 over 11 months ago.

Sorry, my mistake.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-12-19 23:06:14 UTC
GLSA Vote: yes.
Comment 4 Dirkjan Ochtman gentoo-dev 2012-02-17 08:34:29 UTC
I'm thinking this could be closed...
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 01:24:09 UTC
CVE-2011-4617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4617):
  virtualenv.py in virtualenv before 1.5 allows local users to overwrite
  arbitrary files via a symlink attack on a certain file in /tmp/.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-06 21:30:03 UTC
Vote: yes.

Created new GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-06-22 16:53:25 UTC
This issue was resolved and addressed in
 GLSA 201206-17 at http://security.gentoo.org/glsa/glsa-201206-17.xml
by GLSA coordinator Sean Amoss (ackle).