371316 – (CVE-2011-2185) <dev-python/fabric-1.1.1: insecure temporary file creation vulnerability (CVE-2011-2185)

Bug 371316 (CVE-2011-2185) - <dev-python/fabric-1.1.1: insecure temporary file creation vulnerability (CVE-2011-2185)

Summary: <dev-python/fabric-1.1.1: insecure temporary file creation vulnerability (CVE...

Status:	RESOLVED FIXED

Alias:	CVE-2011-2185

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-06-12 21:32 UTC by Tim Sammut (RETIRED)
Modified:	2011-07-11 02:36 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2011-06-12 21:32:27 UTC

From the oss-security thread at $URL:

   It was found that fabric, a simple Pythonic remote deployment tool,
used insecure way for creation of temporary files, when uploading
template text files and project files to a remote system. A local
attacker could use this flaw to conduct symlink attacks to upload
sensitive information to remote host or to overwrite certain local
system files.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629003
[2] https://bugzilla.redhat.com/show_bug.cgi?id=710462

Comment 1 Jesus Rivero (RETIRED) gentoo-dev

2011-07-08 21:42:05 UTC

Affected versions have been removed from the tree.
Current version: dev-python/fabric-1.1.1

Best regards,

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-07-11 02:36:28 UTC

(In reply to comment #1)
> Affected versions have been removed from the tree.
> Current version: dev-python/fabric-1.1.1
> 
> Best regards,

Great, thank you. Closing noglsa for ~arch package.