Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 54890 - app-arch/gzip: Insecure creation of temporary files
Summary: app-arch/gzip: Insecure creation of temporary files
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-23 07:39 UTC by Aron Griffis (RETIRED)
Modified: 2004-06-24 12:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aron Griffis (RETIRED) gentoo-dev 2004-06-23 07:39:27 UTC
Bug 22483 describes a security issue with tempfile creation in znew and gzexe.  That problem was theoretically fixed and a glsa sent out.

However the patch doesn't check the exit status of the tempfile command.  If tempfile should fail, then it's possible for a rogue command to be executed a few lines later in the script.

I've fixed the patch and bumped the stable rev to 1.3.3-r3 to carry out the change.  At this point we just need a GLSA.  Somebody from security mind handling that?
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2004-06-23 11:18:17 UTC
GLSA drafted
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2004-06-24 06:52:52 UTC
GLSA updated with unaffected version -r4 and better description. Security please review.

Note: Changelog is not updated with new -r4
Comment 3 Kurt Lieber (RETIRED) gentoo-dev 2004-06-24 08:14:46 UTC
glsa 200406-18
Comment 4 Aron Griffis (RETIRED) gentoo-dev 2004-06-24 12:16:43 UTC
> Note: Changelog is not updated with new -r4

That was a ChangeLog error: it said -r3 instead of -r4.  I just fixed it now.