Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73545 - app-portage/mirrorselect: Insecure tempfile creation
Summary: app-portage/mirrorselect: Insecure tempfile creation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] lewk
Depends on:
Reported: 2004-12-06 04:03 UTC by Ervin Németh
Modified: 2006-12-27 01:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

mirrorselect fix (mirrorselect-0.87.patch,4.64 KB, patch)
2004-12-06 04:07 UTC, Ervin Németh
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ervin Németh 2004-12-06 04:03:29 UTC
I wanted to add a new feature to the mirrorselect script, and stumbled to a security risc.
Comment 1 Ervin Németh 2004-12-06 04:07:22 UTC
Created attachment 45372 [details, diff]
mirrorselect fix

Here is a small patch, containing the fix, and various enhancements:

* SECURITY FIX: when using the "-b" switch, split is creating files in the
temporary directory in an unsecure manner

* SECURITY FIX: make the script exit if "mktemp" fails

* new switch: "-TX" to allow the user to set the network timeout for wget

* clean up temporary files/directories even if mirrorselect is interrupted by
the user

* fixed progress percentage with "-b" switch

* the logic is rewritten how /etc/make.conf is updated: don't touch it until
everything seems to be o.k.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-12-06 13:00:12 UTC
Re-assigning to security.

tools-portage, please verify.
Comment 3 John Mylchreest (RETIRED) gentoo-dev 2004-12-06 13:48:17 UTC
thanks Ervin.

0.89 is in portage for your pleasure.
Comment 4 Luke Macken (RETIRED) gentoo-dev 2004-12-06 13:50:54 UTC
GLSA drafted.

Security, please review.
Comment 5 Luke Macken (RETIRED) gentoo-dev 2004-12-07 04:49:17 UTC
GLSA 200412-05

Thanks Ervin!  Keep up the good work.