NetBSD Problem Report #47360

From dholland@netbsd.org  Fri Dec 21 10:35:23 2012
Return-Path: <dholland@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 1470163EABC
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 21 Dec 2012 10:35:23 +0000 (UTC)
Message-Id: <20121221103523.0CB2814A23F@mail.netbsd.org>
Date: Fri, 21 Dec 2012 10:35:23 +0000 (UTC)
From: dholland@NetBSD.org
Reply-To: dholland@NetBSD.org
To: gnats-bugs@gnats.NetBSD.org
Subject: textproc/isearch insecure temporary files
X-Send-Pr-Version: 3.95

>Number:         47360
>Category:       pkg
>Synopsis:       textproc/isearch insecure temporary files
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dholland
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Dec 21 10:40:01 +0000 2012
>Closed-Date:    Fri Dec 21 10:50:52 +0000 2012
>Last-Modified:  Fri Dec 21 19:55:03 +0000 2012
>Originator:     David A. Holland
>Release:        pkgsrc 20121220
>Organization:
>Environment:
n/a
>Description:

The isearch package (textproc/isearch) uses the tempnam() function in
three different places to choose the name of a temporary file it
writes later on into a publicly-writable area (/tmp). Needless to say,
this is insecure.

>How-To-Repeat:

Observe the linker warnings, search the source.

>Fix:

Update to at least isearch-1.47.01nb1, or take the relevant portions
of these patches:

   patches/patch-doctype_anzmeta.cxx
   patches/patch-doctype_fgdc.cxx
   patches/patch-src_marc.cxx

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: pkg-manager->dholland
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Fri, 21 Dec 2012 10:50:52 +0000
Responsible-Changed-Why:
I fixed it


State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 21 Dec 2012 10:50:52 +0000
State-Changed-Why:
This PR is for reference; the fix was committed shortly before the
PR was filed.


From: David Holland <dholland-pbugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/47360: textproc/isearch insecure temporary files
Date: Fri, 21 Dec 2012 19:53:27 +0000

 This issue has been assigned CVE-2012-5663.

 -- 
 David A. Holland
 dholland@netbsd.org

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.