Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 65647 - media-libs/netpbm: temporary file bugs
Summary: media-libs/netpbm: temporary file bugs
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B3 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-28 00:47 UTC by Alin Năstac (RETIRED)
Modified: 2011-10-30 22:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alin Năstac (RETIRED) gentoo-dev 2004-09-28 00:47:33 UTC
Package name:           netpbm
 Advisory ID:            MDKSA-2004:011-1
 Date:                   September 27th, 2004
 Original Advisory Date: February 11th, 2004
 Affected versions:	 10.0, 9.2, Corporate Server 2.1,
			 Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 A number of temporary file bugs have been found in versions of NetPBM.
 These could allow a local user the ability to overwrite or create
 files as a different user who happens to run one of the the vulnerable
 utilities.

Update:

 The patch applied made some calls to the mktemp utility with an
 incorrect parameter which prevented mktemp from creating temporary
 files in some scripts.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-28 01:01:20 UTC
graphics please confirm and provide a fixed ebuild if necessary.

Mandrake Advisory here:

http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:011-1
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-29 22:21:54 UTC
Version 10 is unaffected by this. Graphics please patch 9.12 or advise which version above 9.20 to mark stable.
Comment 3 Philip Walls (RETIRED) gentoo-dev 2004-09-30 07:03:55 UTC
Since 10.20 is already stable on amd64 and ppc64, can we try stablizing other arches on this version? It's been around since February 2004
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-09-30 07:54:52 UTC
Yes I think we should have all arches mark a version (>=10.0) of their choice stable, so that we can get rid of the last 9.x version. Most arches already have.

Calling missing arches : hppa mips ppc sparc x86
Please test and mark 10.20 (or any other >=10 version) stable.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-30 12:16:58 UTC
sparc stable.
Comment 6 Jochen Maes (RETIRED) gentoo-dev 2004-10-01 10:27:50 UTC
stable on ppc
Comment 7 Jochen Maes (RETIRED) gentoo-dev 2004-10-02 03:47:40 UTC
forgot to remove it :-)
Comment 8 Olivier Crete (RETIRED) gentoo-dev 2004-10-02 14:29:39 UTC
10.20 stable on x86
Comment 9 SpanKY gentoo-dev 2004-10-02 21:58:04 UTC
hppa/ia64 stable
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-10-03 06:30:08 UTC
I'll draft the GLSA
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-04 10:33:41 UTC
GLSA 200410-02