Hello, Take a look at src/xpvm.tcl : 158 # 159 # Get User Name 160 # 161 162 set user [ get_user_name ] 832 if { $tfck == 0 } { set trace_file "/tmp/xpvm.trace.$user" } 834 $CTRL.file_entry insert 0 $trace_file Regards.
confirmed vulnerable.
Hello, Vendor notified. Regards.
confirmed by rob, moving to vulnerabilities.
Leaked by Secunia, SA16040
Pulling in maintainer : The project looks quite dead (upstream mail failed), should we patch it ? remove it ?
Tantive seems to be MIA, pulling in the rest of cluster.
If someone is able to fix it, then let's fix it, otherwise we have to remove or mask it. Personally i'd love to see a fix so it can stay in portage.
It should be changes to use ns_tmpnam [1], something like may work: 832 if { $tfck == 0 } { set trace_file ns_tmpnam } Yuri. [1] http://www.panoptic.com/wiki/aolserver/686
Yuri are you sure about that? I don't use wish much or xpvm at all but I've done a fair bit of tcl in my day and I've never seen ns_tmpnam. Perhaps it's an aolserver only function? solar@simple xpvm $ wish % ns_tmpnam invalid command name "ns_tmpnam" solar@simple xpvm $ tclsh Loading module ptrace 8.4.6> ns_tmpnam invalid command name "ns_tmpnam" solar@simple xpvm $ tcl tcl>ns_tmpnam Error: invalid command name "ns_tmpnam"
Created attachment 64689 [details, diff] xpvmm-1.2.5-secure-temp.patch a patch that should do fine until file tempfile ?template? ?namevar? [1] is available in tcl 8.5 [1] http://www.tcl.tk/cgi-bin/tct/tip/210.html
There is another way to solve this problem but it'll require >=dev-tcltk/tcllib-1.7 to be added as dependency so "::fileutil::tempfile ? prefix ?" can be used, but I think it's not worth adding another dependency considerings the before mentioned support for file tempfile subcommand is expected to be added in tcl 8.5. Also, in case the patch gets accepted, please credit solar@gentoo.org for it's authorship as I my just cleaned it.
solar, you're the TCL expert, could you review the patch ? If you're OK with it, tantive can plug it in.
The code is fine. shell$ qfile /bin/tempfile sys-apps/debianutils (/bin/tempfile) A dep would have to be added either way.
Micheal please provide an updated ebuild.
I added a patched xpvm-1.2.5-r4 to the tree and removed the old ebuilds. Thanks for your help.
Thx Micheal. This one is ready for GLSA decision. I tend to vote NO.
Looks like a tool that would typically run as root, which would make me vote yes, but I really don't know. Michael, could you provide some insight on how the software is typically run, and if it always uses the temporary file (vs. it only uses it if option --verbosity=high is set)...
Micheal/Cluster please advise.
OK; looks like we won't get input about this from the cluster herd, so security members, make up your mind. In doubt I vote YES.
i would vote NO
Reverting my vote to full NO -> Closing without GLSA. Feel free to reopen if you disagree.