285861 – (CVE-2009-4664) <net-firewall/fwbuilder-3.0.7 Insecure temporary file creation (CVE-2009-4664)

Bug 285861 (CVE-2009-4664) - <net-firewall/fwbuilder-3.0.7 Insecure temporary file creation (CVE-2009-4664)

Summary: <net-firewall/fwbuilder-3.0.7 Insecure temporary file creation (CVE-2009-4664)

Status:	RESOLVED FIXED

Alias:	CVE-2009-4664

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.fwbuilder.org/docs/firewal...
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-09-21 20:45 UTC by Alex Legler (RETIRED)
Modified:	2012-01-23 20:37 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
3.0.7-secure-mktemp.patch (3.0.7-secure-mktemp.patch,987 bytes, patch) 2009-11-12 09:34 UTC, Tiziano Müller (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2009-09-21 20:45:05 UTC

Upstream release notes:
Fixed security issue with temporary file handling in the generated iptables script. The problem only affects Linux systems where Firewall Builder is used to generate static routing configuration. The problem exists in Firewall Builder versions 3.0.4, 3.0.5, 3.0.6

3.0.7 was released to fix this issue, however in https://bugzilla.redhat.com/show_bug.cgi?id=524588, Jan Lieskovsky mentioned that the fix is not complete.
Upstream is informed. Let's wait for a reaction.

Comment 1 Tiziano Müller (RETIRED) gentoo-dev

2009-11-12 09:34:50 UTC

Created attachment 209994 [details, diff]
3.0.7-secure-mktemp.patch

I just did a version bump including a patch written by me to fix the security issue.

Comment 2 Tiziano Müller (RETIRED) gentoo-dev

2009-11-12 09:35:51 UTC

Package compiles and runs fine here with the mentioned patch.

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2010-03-06 16:29:45 UTC

Arches, please test and mark stable:
=net-firewall/fwbuilder-3.0.7
Target keywords : "amd64 ppc ppc64 x86"

Comment 4 Brent Baude (RETIRED) gentoo-dev

2010-03-08 17:43:39 UTC

ppc64 done

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2010-03-08 17:59:54 UTC

x86 stable

Comment 6 Markus Meier gentoo-dev

2010-03-08 20:15:53 UTC

amd64 stable

Comment 7 Joe Jezak (RETIRED) gentoo-dev

2010-03-09 21:55:16 UTC

Marked ppc stable.

Comment 8 Stefan Behte (RETIRED) gentoo-dev

2010-08-01 13:15:56 UTC

glsa request filed.

Comment 9 Andreas K. Hüttel archtester

2011-03-30 20:52:37 UTC

All affected versions removed from tree

Comment 10 Joshua Kinard gentoo-dev

2011-12-24 19:48:03 UTC

fwbuilder-3.0.7 is no longer in the tree.  Closing as OBSOLETE.

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2011-12-27 05:24:53 UTC

Please do not close security bug--we need to publish a GLSA for this--thanks.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2012-01-23 20:37:10 UTC

This issue was resolved and addressed in
 GLSA 201201-11 at http://security.gentoo.org/glsa/glsa-201201-11.xml
by GLSA coordinator Sean Amoss (ackle).