NetBSD Problem Report #47360
From dholland@netbsd.org Fri Dec 21 10:35:23 2012
Return-Path: <dholland@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id 1470163EABC
for <gnats-bugs@gnats.NetBSD.org>; Fri, 21 Dec 2012 10:35:23 +0000 (UTC)
Message-Id: <20121221103523.0CB2814A23F@mail.netbsd.org>
Date: Fri, 21 Dec 2012 10:35:23 +0000 (UTC)
From: dholland@NetBSD.org
Reply-To: dholland@NetBSD.org
To: gnats-bugs@gnats.NetBSD.org
Subject: textproc/isearch insecure temporary files
X-Send-Pr-Version: 3.95
>Number: 47360
>Category: pkg
>Synopsis: textproc/isearch insecure temporary files
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: dholland
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Dec 21 10:40:01 +0000 2012
>Closed-Date: Fri Dec 21 10:50:52 +0000 2012
>Last-Modified: Fri Dec 21 19:55:03 +0000 2012
>Originator: David A. Holland
>Release: pkgsrc 20121220
>Organization:
>Environment:
n/a
>Description:
The isearch package (textproc/isearch) uses the tempnam() function in
three different places to choose the name of a temporary file it
writes later on into a publicly-writable area (/tmp). Needless to say,
this is insecure.
>How-To-Repeat:
Observe the linker warnings, search the source.
>Fix:
Update to at least isearch-1.47.01nb1, or take the relevant portions
of these patches:
patches/patch-doctype_anzmeta.cxx
patches/patch-doctype_fgdc.cxx
patches/patch-src_marc.cxx
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->dholland
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Fri, 21 Dec 2012 10:50:52 +0000
Responsible-Changed-Why:
I fixed it
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 21 Dec 2012 10:50:52 +0000
State-Changed-Why:
This PR is for reference; the fix was committed shortly before the
PR was filed.
From: David Holland <dholland-pbugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/47360: textproc/isearch insecure temporary files
Date: Fri, 21 Dec 2012 19:53:27 +0000
This issue has been assigned CVE-2012-5663.
--
David A. Holland
dholland@netbsd.org
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.