Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 66355 - sys-devel/gettext: Insecure tempfile handling
Summary: sys-devel/gettext: Insecure tempfile handling
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] lewk
: 66485 (view as bug list)
Depends on:
Reported: 2004-10-04 15:00 UTC by Luke Macken (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

gettext-0.14.1-tempfile.patch (gettext-0.14.1-tempfile.patch,2.57 KB, patch)
2004-10-04 15:01 UTC, Luke Macken (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:00:47 UTC
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:01:52 UTC
Created attachment 41095 [details, diff]

Patch from Trustix to fix tempfile insecurities.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:04:34 UTC
base-system guys,

please verify and apply patch if necessary.  The stable version of gettext, 0.12.1, seems to be vulnerable to this as well.
Comment 3 solar (RETIRED) gentoo-dev 2004-10-04 21:36:23 UTC
The newest revision we have in portage right now is gettext-0.12.1-r1 looks like we might want to consider a newer version all together. 
Comment 4 solar (RETIRED) gentoo-dev 2004-10-04 21:41:07 UTC
Oh even better Mike Frysinger just told me he is already working on this one.
Comment 5 SpanKY gentoo-dev 2004-10-05 05:43:07 UTC
version bumped in cvs; everyone needs loving on this one
Comment 6 Luke Macken (RETIRED) gentoo-dev 2004-10-05 06:11:46 UTC
archs, please mark gettext-0.14.1 stable.
Comment 7 Travis Tilley (RETIRED) gentoo-dev 2004-10-05 08:04:17 UTC
stable on amd64...
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-05 08:39:40 UTC
Stable on alpha.
Comment 9 SpanKY gentoo-dev 2004-10-05 15:50:22 UTC
arm/hppa/ia64/s390 == OUTTA SIGHT
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-05 18:51:55 UTC
I'm getting failed tests: format-java-1 and format-java-2 with bus errors.
This passed on gettext-0.12.1 so it's somewhat suspicious, did anyone test this on != sparc?
Comment 11 Jochen Maes (RETIRED) gentoo-dev 2004-10-06 01:40:29 UTC
stable on ppc
Comment 12 Jochen Maes (RETIRED) gentoo-dev 2004-10-06 04:52:17 UTC
Since i installed gettext 0.14.1 i get this error, can someone see to this?

/usr/bin/xgettext: error while loading shared libraries: cannot open shared object file: No such file or directory

putted back to ~ppc untill the problem is solved
Comment 13 SpanKY gentoo-dev 2004-10-06 05:53:33 UTC
/usr/bin/xgettext: error while loading shared libraries: cannot open shared object file: No such file or directory

the fix is to run revdep-rebuild :P
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-06 06:10:33 UTC
sparc stable, with conjured patch for the java tests.
Comment 15 Olivier Crete (RETIRED) gentoo-dev 2004-10-06 07:08:21 UTC
well, xgettext is part of gettext.. So revdep-rebuild doesnt help much here.. Is it being built against the system installed gettext instead of the version in its own directory? Btw, it seems to have built correctly here. 
I think 66485 is a dupe... and this one is on x86.. I'm holding it off on stabilizing on x86 until this is sorted out.. 
Comment 16 Olivier Crete (RETIRED) gentoo-dev 2004-10-06 16:48:12 UTC
*** Bug 66485 has been marked as a duplicate of this bug. ***
Comment 17 SpanKY gentoo-dev 2004-10-06 22:08:16 UTC
masked 0.14.1 ... i'll release a new 0.12.1-r# with the patch
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2004-10-07 01:40:04 UTC
Back to ebuild status, current ebuild breaks things.
NB to sec team: tempfile attacks are "3" not "4".
Comment 19 SpanKY gentoo-dev 2004-10-07 16:59:33 UTC
ok, i've added gettext-0.12.1-r2 to portage with the patch posted here ... one of the hunks is not relevant to 0.12.1 since it removes code that was added to gettext after this release

lets try stablizing again shall we
Comment 20 Luke Macken (RETIRED) gentoo-dev 2004-10-07 18:06:52 UTC
archs, please mark gettext-0.12.1-r2 stable.
Comment 21 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-07 22:02:07 UTC
stable x86 and amd64
Comment 22 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-07 23:08:46 UTC
stable on sparc
Comment 23 Jochen Maes (RETIRED) gentoo-dev 2004-10-08 02:07:56 UTC
stable on ppc
but QA isn't ok: The patch is bigger then 20K!!!

Comment 24 Guy Martin (RETIRED) gentoo-dev 2004-10-08 07:34:03 UTC
done on hppa.
Comment 25 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-09 02:37:17 UTC
Stable on alpha.
Comment 26 SpanKY gentoo-dev 2004-10-09 18:01:57 UTC
arm/ia64/s390 done
Comment 27 Tom Gall (RETIRED) gentoo-dev 2004-10-09 19:41:58 UTC
stable on ppc64, thanks!
Comment 28 Luke Macken (RETIRED) gentoo-dev 2004-10-10 15:32:37 UTC
GLSA 200410-10

mips, please mark stable to benefit from GLSA.
Comment 29 Hardave Riar (RETIRED) gentoo-dev 2004-10-16 22:16:51 UTC
Stable on mips.