Bug 1077023 (CVE-2014-2524)
Summary: | CVE-2014-2524 readline: insecure temporary file use in _rl_tropen() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | c.david86, erik-fedora, fedora-mingw, jchaloup, jgalipea, jkurik, jrusnack, ktietz, lfarkas, lnykryn, mlichvar, pfrields, rjones, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-05-21 13:43:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1077026, 1077027, 1077035 | ||
Bug Blocks: | 1077036 |
Description
Murray McAllister
2014-03-17 03:06:51 UTC
Created readline tracking bugs for this issue: Affects: fedora-all [bug 1077026] Created mingw-readline tracking bugs for this issue: Affects: fedora-all [bug 1077035] MITRE assigned CVE-2014-2524 to this issue: http://seclists.org/oss-sec/2014/q1/588 Fixed upstream in 6.3 patch 3 by making the code only get compiled in when building with -DDEBUG. http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html http://git.savannah.gnu.org/cgit/readline.git/commit/?id=8408f86 ftp://ftp.cwru.edu/pub/bash/readline-6.3-patches/readline63-003 Statement: This issue is only exposed via readline's debugging/tracing code and is not used by readline or any other application in Red Hat Enterprise Linux. The tracing functions are defined in a private header file and are only meant for the readline library's internal use. In general use, there is no exposure of this insecure temporary file issue, and while this does affect the versions of readline as shipped with Red Hat Enterprise Linux 5, 6 and 7 it is not currently planned to be addressed in future updates. Red Hat Product Security has rated this issue as having Low security impact. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |