Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 354061 (CVE-2011-3616) - <app-admin/conky-1.8.1-r2: "/tmp/.cesf" Insecure Temporary File (CVE-2011-3616)
Summary: <app-admin/conky-1.8.1-r2: "/tmp/.cesf" Insecure Temporary File (CVE-2011-3616)
Alias: CVE-2011-3616
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2011-02-08 07:31 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-11-16 23:35 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-08 07:31:46 UTC
A security issue has been reported in Conky, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to Conky's "eve" module using the "/tmp/.cesf" file in an insecure manner, which can be exploited to e.g. overwrite arbitrary files with the privileges of the user running Conky.

Successful exploitation requires that the "eve" module is compiled and configured.

The security issue is reported in version 1.8.1. Other versions may also be affected.
Comment 1 Daniel Pielmeier gentoo-dev 2011-02-11 16:12:04 UTC
+*conky-1.8.1-r1 (11 Feb 2011)
+  11 Feb 2011; Daniel Pielmeier <> +conky-1.8.1-r1.ebuild,
+  +files/conky-1.8.1-acpitemp.patch, +files/conky-1.8.1-secunia-SA43225.patch:
+  Revision bump to fix security bug #354061 and also bug #352012.

I have added an ebuild including a patch from upstream which should fix the issue.
Comment 2 Daniel Pielmeier gentoo-dev 2011-02-12 12:43:55 UTC
Upstream is still working on this, so the patch may change. I will report back here if there is a proper solution.
Comment 3 Daniel Pielmeier gentoo-dev 2011-02-12 17:45:54 UTC
+*conky-1.8.1-r2 (12 Feb 2011)
+  12 Feb 2011; Daniel Pielmeier <> -conky-1.8.1-r1.ebuild,
+  +conky-1.8.1-r2.ebuild, files/conky-1.8.1-secunia-SA43225.patch:
+  Updated patch security bug #354061.

Now there is a new patch which is supposed to be cleaner. The old one should have worked as well.
Comment 4 Daniel Pielmeier gentoo-dev 2011-02-19 09:51:48 UTC
How do we procceed here. Shouldn't we stabilise 1.8.1-r2 as current stable (1.8.0-r1) is affected as well.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 09:56:10 UTC
Arches, please stabilize =app-admin/conky-1.8.1-r2
Comment 6 Agostino Sarubbo gentoo-dev 2011-02-19 10:36:56 UTC
USE="xmms2" pulled in media-sound/xmms2-0.7-r2 (masked by: ~amd64 keyword)

we stabilize also it, or what?
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-02-20 12:01:25 UTC
xmms2 should be ready to go I guess but lets CC the maintainer and see what he thinks
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2011-02-20 12:58:07 UTC
(In reply to comment #7)
> xmms2 should be ready to go I guess but lets CC the maintainer and see what he
> thinks

Yeah. Stable in tree for more, than a month without any known problems.
(Actually there is one: CC=distcc, but I haven't manged to reproduce it).

Feel free to stabilize


Just be careful as it has a lot of deps.
On amd64 you will need at least:

Comment 9 Agostino Sarubbo gentoo-dev 2011-02-20 14:27:20 UTC
amd64 ok

Comment 10 Markos Chandras (RETIRED) gentoo-dev 2011-02-21 19:53:29 UTC
amd64 done. Thanks Agostino
Comment 11 Andreas Schürch gentoo-dev 2011-02-22 07:59:08 UTC
I tested these 3 packages on x86 and two things:

xmms2 should depend on dev-libs/libcdio for USE="cdda". Otherwise:

The following required plugin(s) failed to configure: cdda                                                                       
 * ERROR: media-sound/xmms2-0.7-r2 failed:                                                                                       
 *   'waf configure' failed        

xmms2 should also depend on net-dns/avahi(USE=+mdnsresponder-compat) for USE="avahi". Otherwise:

The following required optional(s) failed to configure: dns_sd                                                                   
 * ERROR: media-sound/xmms2-0.7-r2 failed:                                                                                       
 *   'waf configure' failed         
Comment 12 Brent Baude (RETIRED) gentoo-dev 2011-02-25 20:04:03 UTC
ppc done
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-26 10:02:47 UTC
(In reply to comment #12)
> ppc done
ppc/ppc64 stable

Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2011-02-26 20:35:56 UTC
Stable on alpha.
Comment 15 Christian Faulhammer (RETIRED) gentoo-dev 2011-02-27 16:21:11 UTC
stable x86, I fixed those (USE) dependency issues spotted by Andreas...thanks
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2011-03-05 16:43:36 UTC
alpha/sparc stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2011-03-05 16:44:34 UTC
Actually this needs xmms2 stable on alpha...
Comment 18 Tobias Klausmann (RETIRED) gentoo-dev 2011-03-06 12:11:49 UTC
Stable on alpha:

Comment 19 Tim Sammut (RETIRED) gentoo-dev 2011-03-06 19:14:13 UTC
Thanks, everyone.

GLSA Vote: yes.
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:34:48 UTC
Vote: YES. New GLSA request filed.
Comment 21 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-09 15:55:09 UTC
CVE identifier missing, can someone of the new scouts check if there is one and if not, request one?
Comment 22 Sean Amoss (RETIRED) gentoo-dev Security 2011-10-09 16:29:46 UTC
Couldn't find any CVE for this - requested one.
Comment 23 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-09 17:52:15 UTC
Thanks. When you have requested a CVE, Sean, you can add "(CVE requested)" to the summary.
Comment 24 Agostino Sarubbo gentoo-dev 2011-10-10 13:49:07 UTC
@maintainer, Please remove vulnerable version from the tree.
Comment 25 Sean Amoss (RETIRED) gentoo-dev Security 2011-10-10 19:22:25 UTC
This was assigned CVE-2011-3616 - I don't have edit privileges to update the summary or alias.
Comment 26 Tim Sammut (RETIRED) gentoo-dev 2011-10-10 20:25:21 UTC
(In reply to comment #25)
> This was assigned CVE-2011-3616 - I don't have edit privileges to update the
> summary or alias.

Thanks, Sean!
Comment 27 Daniel Pielmeier gentoo-dev 2011-10-13 18:46:07 UTC
(In reply to comment #24)
> @maintainer, Please remove vulnerable version from the tree.

Comment 28 GLSAMaker/CVETool Bot gentoo-dev 2011-10-13 21:52:01 UTC
This issue was resolved and addressed in
 GLSA 201110-09 at
by GLSA coordinator Stefan Behte (craig).
Comment 29 GLSAMaker/CVETool Bot gentoo-dev 2011-11-16 23:35:59 UTC
CVE-2011-3616 (
  The getSkillname function in the eve module in Conky 1.8.1 and earlier
  allows local users to overwrite arbitrary files via a symlink attack on