Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505168 (CVE-2014-2387) - <net-misc/pen-0.25.1: "webfile.html" Insecure Temporary File Security Issue
Summary: <net-misc/pen-0.25.1: "webfile.html" Insecure Temporary File Security Issue
Status: RESOLVED FIXED
Alias: CVE-2014-2387
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57374/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-20 13:35 UTC by Agostino Sarubbo
Modified: 2015-05-11 16:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-20 13:35:04 UTC 
From ${URL} :

Description

Steve Kemp has discovered a security issue in pen, which can be exploited by malicious, local users to 
manipulate certain data.

The security issue is caused due to the application creating the "webfile.html" temporary file in an 
insecure manner. This can be exploited to manipulate the contents of certain files via symlink attacks.

The security issue is confirmed in version 0.21.1. Other versions may also be affected.


Solution:
No official solution is currently available.

Provided and/or discovered by:
Steve Kemp

Original Advisory:
http://openwall.com/lists/oss-security/2014/03/12/14


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2014-10-15 16:39:26 UTC 
+  15 Oct 2014; Michael Palimaka <kensington@gentoo.org> +pen-0.25.1.ebuild:
+  Version bump wrt bug #505168.

Should be fine to stabilise.
Comment 2 Andreas Schürch gentoo-dev 2015-04-01 19:52:39 UTC 
x86 done.
Comment 3 Agostino Sarubbo gentoo-dev 2015-04-03 08:30:22 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2015-04-03 12:01:25 UTC 
+  03 Apr 2015; Michael Palimaka <kensington@gentoo.org> -pen-0.20.1.ebuild:
+  Remove old.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-04-04 16:58:51 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 16:20:55 UTC 
GLSA Vote: No