Bug 436260
Summary: | CVE-2007-6061: insecure tmpfile handling | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Hans de Goede <hdegoede> | ||||
Component: | audacity | Assignee: | GĂ©rard Milmeister <gemi> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | rawhide | CC: | bressers, bugs.michael, huzaifas | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6061 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-05-13 21:06:07 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 393251 | ||||||
Attachments: |
|
Description
Hans de Goede
2008-03-06 08:09:03 UTC
Note the date of the CVE. Also known upstream and came up again just recently: http://sourceforge.net/mailarchive/forum.php?thread_name=733f2c730803040303o679d28eeg224689218544d232%40mail.gmail.com&forum_name=audacity-devel Users with security concerns can set a different tmp path in the Audacity preferences. The Gentoo patch (linked by me on audacity-devel yesterday) is controversial for several reasons. Already tracked via bug #393251 Final Freeze is in effect now. Security fixes almost certainly warrant a freeze break, so in case you build a fix for this, mail release engineering as described here: [2] [1] https://www.redhat.com/archives/fedora-devel-announce/2008-April/msg00007.html [2] http://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy Thanks! Any idea when this will be fixed in fedora? Created attachment 304395 [details]
proposed patch
Would this be sufficient?
Upstream accepted this patch. Fixed in upstream 1.3.5: http://audacity.sourceforge.net/download/features-1.3-a Security * Full fix for issue CVE-2007-6061 on systems where temporary directories can be changed by other users (thanks to Michael Schwendt). |