Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 66359 - app-crypt/mit-krb5: Insecure tempfile handling
Summary: app-crypt/mit-krb5: Insecure tempfile handling
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [stable+ x86] lewk
Depends on:
Reported: 2004-10-04 15:29 UTC by Luke Macken (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

kerberos5-1.3.4-tempfile.patch (kerberos5-1.3.4-tempfile.patch,1.35 KB, patch)
2004-10-04 15:30 UTC, Luke Macken (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:29:54 UTC
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:30:52 UTC
Created attachment 41098 [details, diff]

Trustix patch to fix insecure tempfile handling
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:31:55 UTC

please verify and apply patch if necessary.
Comment 3 Ryan Phillips (RETIRED) gentoo-dev 2004-10-14 15:33:10 UTC

The patch applies cleanly to 1.3.4 and 1.3.5.  1.3.4-r1 needs to be tested on all arch's, but 1.3.5-r1 has been created also and should remain unstable.
Comment 4 Luke Macken (RETIRED) gentoo-dev 2004-10-14 17:07:57 UTC
archs, please mark mit-krb5-1.3.4-r1 stable.
Comment 5 Jochen Maes (RETIRED) gentoo-dev 2004-10-15 03:12:40 UTC
stable on ppc
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-15 03:47:18 UTC
Stable on alpha.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-10-15 07:30:57 UTC
Stable on sparc.
Comment 8 Danny van Dyk (RETIRED) gentoo-dev 2004-10-16 07:21:41 UTC
stable on amd64.
Comment 9 Hardave Riar (RETIRED) gentoo-dev 2004-10-16 15:04:50 UTC
Stable on mips.
Comment 10 Akinori Hattori gentoo-dev 2004-10-17 05:54:46 UTC
Stable on ia64.
Comment 11 Tom Gall (RETIRED) gentoo-dev 2004-10-18 21:22:41 UTC
stable on ppc64
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-10-19 00:47:18 UTC
GLSA blocked by missing x86 keyword... Could maintainer or x86 arch test and mark stable ?
Comment 13 Guy Martin (RETIRED) gentoo-dev 2004-10-20 04:55:42 UTC
Done on hppa.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-10-25 06:22:46 UTC
klieber marked stable on x86.
arm and s390 should mark stable to benefit from GLSA.

GLSA 200410-24