Bug 168945

Summary: arc: insecure temp file creation (CAN-2005-2945)
Product: [Fedora] Fedora Reporter: Ville Skyttä <scop>
Component: arcAssignee: Nicolas Mailhot <nicolas.mailhot>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: extras-qa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2945
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-08 10:40:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2005-09-21 15:23:49 UTC 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2945 
 
Proposed patch: 
http://seclists.org/lists/fulldisclosure/2005/Sep/0540.html 
 
BTW, Debian ships version 5.21l which according to the changelog also contains 
some buffer overflow fixes.
Comment 1 Nicolas Mailhot 2005-09-21 17:24:26 UTC 
I'll release 5.21l this week-end. Then probably declare arc orphaned.

I have little confidence in arc's code. It's old and licensing problems kept it
frozen for a long time. Since amavisd can use nomarch instead I have no need for
arc anymore. 

Unless people are actively fixing arc now it's GPL and work on nomarch stopped.
Didin't look at both projects lately.
Comment 2 Ville Skyttä 2005-10-07 07:28:49 UTC 
ping
Comment 3 Nicolas Mailhot 2005-10-08 10:40:48 UTC 
Should be building.
Didn't check if it actually works after the build, the number of warnings is
still sky-high
Orphaning this pile of old code now, even the latest and greatest needed a build
patch :(. Seems even freebsd does not care anymore.