Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 245922 (CVE-2008-4983) - sci-mathematics/scilab <4.1.2-r1: insecure temp file usage (CVE-2008-4983)
Summary: sci-mathematics/scilab <4.1.2-r1: insecure temp file usage (CVE-2008-4983)
Status: RESOLVED FIXED
Alias: CVE-2008-4983
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-11-07 02:34 UTC by Stefan Behte (RETIRED)
Modified: 2009-01-21 22:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 02:34:47 UTC
CVE-2008-4983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4983):
  scilab-bin 4.1.2 allows local users to overwrite arbitrary files via
  a symlink attack on (a) /tmp/SciLink#####1, (b) /tmp/SciLink#####2,
  (c) /tmp/SciLink#####3, (d) /tmp/*.#####, (e) /tmp/*.#####.res, (f)
  /tmp/*.#####.err, and (g) /tmp/*.#####.diff temporary files, related
  to the (1) scilink, (2) scidoc, and (3) scidem scripts.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-07 02:36:37 UTC
Our in-tree version is vulnerable, I checked it.

DEBIAN: http://bugs.debian.org/496414
FILES: scilink, scidoc, scidem
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/scilab-bin
Comment 2 Markus Dittrich (RETIRED) gentoo-dev 2008-11-07 14:26:08 UTC
Thanks much for the note and I'll take care of this asap.

Best,
Markus
Comment 3 Markus Dittrich (RETIRED) gentoo-dev 2008-11-07 16:00:11 UTC
I've added Debian's patch verbatim to portage since it comes from upstream
and pushed out 4.1.2-r1. We need to stable 4.1.2-r1 on x86 but I suggest 
that we try all arches (x86, amd64, ppc) while we're at it. 
At least amd64 and x86 work fine for me.

Thanks,
Markus
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-07 16:10:54 UTC
Arches, please test and mark stable:
  =sci-mathematics/scilab-4.1.2-r1

Target keywords: x86

Per maintainer request, please also mark stable (not required per security):
  amd64 ppc
Comment 5 Markus Meier gentoo-dev 2008-11-08 13:29:25 UTC
amd64/x86 stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 18:40:46 UTC
ppc stable
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-15 18:56:16 UTC
Ready for voting!
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 22:56:37 UTC
I vote NO!
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 19:02:39 UTC
we've had a ton of temp file issues recently, and we always issued a glsa... so voting yes.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 17:29:23 UTC
YES, filed
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-21 22:24:05 UTC
GLSA 200901-14