Bug 1057544 (CVE-2014-1639)

Summary: CVE-2014-1639 syncevolution: insecure temporary file usage in installcheck-local.sh
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: extras-orphan, jrusnack, mprpic, pbrobinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-05 14:01:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1057545    
Bug Blocks:    

Description Martin Prpič 2014-01-24 10:13:33 UTC
It was found [1] that the installcheck-local.sh script of the syncevolution package creates temporary files in an insecure way. A local attacker could use these flaws to perform a symbolic link attack on the temporary files used by installcheck-local.sh.

NOTE: The vulnerable installcheck-local.sh script is not shipped in the syncevolution RPM package, but is included in the source and may be called at compile time. This flaw is therefore only a concern for those rebuilding the SRPM package. Regular users of the syncevolution package are not affected.

[1] http://seclists.org/oss-sec/2014/q1/138

Comment 1 Martin Prpič 2014-01-24 10:15:33 UTC
Created syncevolution tracking bugs for this issue:

Affects: fedora-all [bug 1057545]

Comment 2 Peter Robinson 2014-04-14 13:16:59 UTC
Can you tell me if this has been fixed in 1.4.x releases?

Comment 3 Martin Prpič 2014-04-15 07:26:53 UTC
Hi Peter, the following entry can be found in the ChangeLog for syncevolution-1.4.tar.gz [1], indicating that this issue has been fixed in the 1.4 release:

------------------------8<------------------------
2014-02-15  Patrick Ohly  <patrick.ohly>

	* src/syncevo/installcheck-local.sh:

	autotools: fix temp file vulnerability during compilation
	(CVE-2014-1639)
------------------------8<------------------------

The syncevolution 1.4 release notes also mention that this issue has been fixed; see [2].

[1] http://downloads.syncevolution.org/syncevolution/sources/syncevolution-1.4.tar.gz
[2] https://syncevolution.org/blogs/pohly/2014/syncevolution-14-released

Comment 4 Peter Robinson 2014-04-15 07:38:36 UTC
Brilliant, thanks. F-20 has had 1.4 for a while, I'll push 1.4.1 to both 20/19.

Comment 5 Fedora Update System 2014-04-24 07:41:36 UTC
syncevolution-1.4.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-04-27 09:08:45 UTC
syncevolution-1.4.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Peter Robinson 2014-05-05 14:01:35 UTC
Fixed in all current Fedora releases so closing