Debian Security Advisory DSA-661-1 f2c -- insecure temporary files Date Reported: 27 Jan 2005 Affected Packages: f2c Vulnerable: Yes Security database references: In Mitre's CVE dictionary: CAN-2005-0017, CAN-2005-0018. More information: Javier Fernndez-Sanguino Pea from the Debian Security Audit project discovered that f2c and fc, which are both part of the f2c package, a fortran 77 to C/C++ translator, open temporary files insecurely and are hence vulnerable to a symlink attack. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: - CAN-2005-0017 Multiple insecure temporary files in the f2c translator. - CAN-2005-0018 Two insecure temporary files in the f2 shell script. For the stable distribution (woody) these problems have been fixed in version 20010821-3.1 For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your f2c package. Reproducible: Always Steps to Reproduce:
Danny, please commit the ebuild to portage.
*** Bug 77570 has been marked as a duplicate of this bug. ***
Ebuild commited and already marked stable on amd64, x86 and ppc.
sparc/Ferris: please confirm now that the ebuild is incvs ppc64: please test and mark stable
Stable for sparc. Tests OK.
GLSA vote... I don't see root using f2c that often, so I've mixed feelings.
I remember some package using it for compiling its Fortran sources. Probably was one of the dependancies of sci-geosciences/grass.
I vote for no GLSA on this one. Last time I checked BASC there were no installs at all.
What is BASC? How do you know nobody has installed f2c? root@caravan:~# grep f2c /var/log/emerge.log |grep completed 1100311820: ::: completed emerge (1 of 8) dev-libs/libf2c-20021004-r1 to / 1100311875: ::: completed emerge (2 of 8) dev-lang/f2c-20030320 to / root@caravan:~# I've recently switched over to gcc's Fortran compiler, but how can you be sure everybody else has?
Many scientist do use f2c even today because of very old and well working code from the 60's !!!
BASC aka http://www.gentoo-stats.org/ Actually some systems use it now. Security please cast your vote.
f2c is commonly used by root when compiling some fortran packages in app-sci that require it (e.g., ghemical) or optionally using it for fortran source (anything in fortran, basically, can use f2c + cc instead of g77 or whatever else). Speaking of, is this vulnerability also present in libf2c?
I tend to vote YES on tmpfile vuln in packages that must/makesense being used by root, and ebuilds may even automate the task, so I vote YES.
I vote for a GLSA, too.
OK, good arguments.
wrt libf2c it does not seem to include f2c and fc. However I'm no f2c expert.
This still needs ppc64 stable marking.
sorry, bug #79884 avoids me from marking stable. new f2c itself seems to be stable. Markus
We need the keyword in. Danny: could you put "ppc64" in KEYWORDS for corsair ? Would do it but I still need to get commit access :)
nigoro marked stable for me. so now it is stable on ppc64
GLSA 200501-43