CVE-2001-1593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2001-1593): The tempname_ensure function lib/routines.h in a2ps 4.14 and earlier, as used by the spy_user function and possibly other functions, allows local users to modify arbitrary files via a symlink attack on a temporary file. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
A patch is available here: https://bugs.debian.org/cgi-bin/bugreport.cgi?filename=a2ps-4.14-1.3-nmu.diff;att=1;bug=742902;msg=12
@ Maintainer(s): Upstream didn't work on the project since 2007. So let's add Debian's patch to get rid of this vulnerability. I prepared https://github.com/gentoo/gentoo/pull/3579 -- Please comment/approve/decline.
Approved and applied. Thanks! commit 1802efb0b659c231f5e3c7c9e275603e6ae3c585 Author: Matthias Maier <tamiko@gentoo.org> Date: Mon Jan 23 21:06:31 2017 -0600 app-text/a2ps: drop vulnerable, bug #507024 Package-Manager: Portage-2.3.0, Repoman-2.3.1 commit d78cf9b0a31ec3209bdc43b2dcabe0606ff6af13 Author: Thomas Deutschmann <whissi@gentoo.org> Date: Sat Jan 21 17:28:53 2017 +0100 app-text/a2ps: Add patch for CVE-2001-1593 (bug #507024) Package-Manager: Portage-2.3.3, Repoman-2.3.1 Signed-off-by: Matthias Maier <tamiko@gentoo.org>
@arches, please stabilize.
Stable for HPPA PPC64.
amd64 stable
x86 stable
Stable on alpha.
sparc stable
ppc stable
ia64 stable
arm stable, all arches done.
@maintainer(s), please clean the vulnerable version. GLSA Vote: No
Cleanup done
Repository is clean, all done.