Bug 1060630 (CVE-2001-1593)
Summary: | CVE-2001-1593 a2ps: insecure temporary file use | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jkurik, jrusnack, pertusus, pfrields, tremble, twaugh, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-02-03 15:43:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1060632, 1060633 | ||
Bug Blocks: | 1060631 |
Description
Murray McAllister
2014-02-03 06:06:26 UTC
There are currently no patches available for this issue. Created a2ps tracking bugs for this issue: Affects: fedora-all [bug 1060632] Affects: epel-6 [bug 1060633] Not affected. This has been fixed since 2001 due to a2ps-4.13-security.patch being applied. This patch changes tempname_ensure() so that mkstemp() is used rather than tempnam(). It looks like this was the original patch: * Fri Jan 05 2001 Preston Brown <pbrown> - security patch for tmpfile creation from Olaf Kirch <okir> followed the next month by a fix to that patch: * Mon Feb 12 2001 Tim Waugh <twaugh> - Fix tmpfile security patch so that it actually _works_ (bug #27155). Here's the actual patch: http://pkgs.fedoraproject.org/cgit/a2ps.git/plain/a2ps-4.13-security.patch Thanks Tim, apologies for missing that. Already fixed in all Red Hat Enterprise Linux and Fedora a2ps packages. |