Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68404 - sys-apps/groff: Insecure tmpfile use
Summary: sys-apps/groff: Insecure tmpfile use
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugzilla.redhat.com/bugzilla/s...
Whiteboard: B3 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-21 07:55 UTC by Thierry Carrez (RETIRED)
Modified: 2004-11-08 02:51 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch from Debian (groffer.patch,710 bytes, patch)
2004-11-02 05:48 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
groff-1.18.1.1.ebuild (groff-1.18.1.1.ebuild,3.10 KB, text/plain)
2004-11-06 02:18 UTC, Akinori Hattori
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 07:55:36 UTC
CAN-2004-0969

The groffer script in the Groff package 1.18 and later versions, as
used in Trustix Secure Linux 1.5 through 2.1, and possibly other
operating systems, allows local users to overwrite files via a symlink
attack on temporary files.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 08:04:30 UTC
Patch on RedHat bug doesn't apply to our groffer either... but it looks vulnerable nevertheless. Maybe we should wait for RedHat to patch and see if it applies ?

Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-28 00:52:15 UTC
The 1.19 patch posted on the RedHat bug (see URL) should apply to 1.19-r1. Then we could push 1.19 to stable on all arches. It's probably simpler than backporting the fix for 1.18.

base-system/vapier: please have a look :)
Comment 3 SpanKY gentoo-dev 2004-10-28 19:45:08 UTC
umm, we dont have 1.19-r1

we have 1.19.1-r1 ... and dont lie to me, but that patch doesnt even come CLOSE to applying cleanly to 1.19.1-r1 ;)

i just moved 1.19.1-r1 to stable for unrelated reasons, and many other arches already have it as stable ... current KEYWORDS:
KEYWORDS="alpha amd64 arm hppa ia64 ~mips ~ppc ~ppc64 s390 ~sparc x86"

figure out what you wanna do :)
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-10-29 00:45:04 UTC
heh, blame Mark Cox :)
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-02 02:27:44 UTC
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278265
Debian bug report with backported patch
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-11-02 05:48:41 UTC
Created attachment 43158 [details, diff]
Patch from Debian

Patch from Debian bug.

Applies correctly :
 patching file contrib/groffer/groffer.sh
 Hunk #1 succeeded at 3217 (offset -11 lines).
Comment 7 SpanKY gentoo-dev 2004-11-02 16:35:57 UTC
i assume that's for groff-1.18.1 ...

why should we bother ? groff-1.19.1 looks like this now:
groff-1.19.1-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ~ppc ~ppc64 s390 sparc x86"
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-11-03 00:50:11 UTC
No, the patch applies to 1.19.1-r1
AFAICT 1.19.1-r1 is still vulnerable, that's why we should care.
Comment 9 SpanKY gentoo-dev 2004-11-03 16:02:19 UTC
touche salesman

groff-1.19.1-r2 now in cvs with aforementioned patch
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-11-04 00:30:26 UTC
Arches please test and mark stable.

Note that the only difference with 1.19.1-r1 (for those arches having that version stable) is the tempfile handling in the groffer utility.
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2004-11-04 03:27:37 UTC
Stable on alpha.
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2004-11-04 05:37:34 UTC
sparc stable.
Comment 13 Akinori Hattori gentoo-dev 2004-11-04 06:07:53 UTC
Please apply this fix to 1.18 too. multibyte patch for 1.19 is not yet released.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2004-11-04 09:20:50 UTC
groff-1.19.1-r2 is now tested and marked stable on ppc64.

Markus
Comment 15 Travis Tilley (RETIRED) gentoo-dev 2004-11-04 09:37:08 UTC
stable on amd64
Comment 16 SpanKY gentoo-dev 2004-11-04 19:01:41 UTC
if someone posts a patch that'll apply cleanly to 1.18.1-r4 i'll add a 1.18.1-r5
Comment 17 SpanKY gentoo-dev 2004-11-04 19:08:00 UTC
moved arm/hppa/ia64/s390/x86 to stable with 1.19.1-r2
Comment 18 Lars Weiler (RETIRED) gentoo-dev 2004-11-04 20:25:42 UTC
ppc stable
Comment 19 Hardave Riar (RETIRED) gentoo-dev 2004-11-05 01:35:27 UTC
Stable on mips.
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2004-11-06 01:14:19 UTC
ppc64 is stable... ppc64: please remove yourself from Cc when you mark stable.

Security, please vote on GLSA need. Maybe a grouped GLSA with the davfs and openssl ones ?
Comment 21 Akinori Hattori gentoo-dev 2004-11-06 02:18:44 UTC
Created attachment 43389 [details]
groff-1.18.1.1.ebuild

groff-1.18.1.1.ebuild with updated Debian patch.
Comment 22 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-06 04:01:55 UTC
I vote for a grouped GLSA on this one as well.
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-11-06 05:36:51 UTC
waiting on davfs2 x86 stable
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2004-11-07 10:27:13 UTC
davfs will take too much time, issuing GLSA with only openssl and groff
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2004-11-08 02:51:03 UTC
GLSA 200411-15