Bug 474455 (CVE-2008-5298)
Summary: | CVE-2008-5298 chm2pdf insecure temporary file use | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> | ||||
Component: | vulnerability | Assignee: | Narasimhan <lakshminaras2002> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | lakshminaras2002, mail, security-response-team, vdanen | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5298 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-02-07 17:05:04 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 474459, 665494 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Josh Bressers
2008-12-03 21:49:39 UTC
Let's try this again. chm2pdf in Fedora 14 is still vulnerable to this. A patch was provided in the Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501959#20 I can't think of a reason not to use it. Created chm2pdf tracking bugs for this issue Affects: fedora-all [bug 665494] I have been able to apply the patch supplied in the bug url given by Vincent. There are two patches present there , one for insecure_temp_dir and other for bashims. I have applied the first one. Created attachment 472423 [details]
Patch that fixes the insecure temporary file issue
I have applied the patch and here is the spec file and SRPM link SPEC file: https://sites.google.com/site/lakshminaras2002/home/chm2pdf.spec?attredirects=0&d=1 SRPM link: https://sites.google.com/site/lakshminaras2002/home/chm2pdf-0.9.1-9.f13.src.rpm?attredirects=0&d=1 Vincent, Could you provide a review of the patch provided (in the attachment)? Thanks (In reply to comment #7) > Vincent, > Could you provide a review of the patch provided (in the attachment)? The patch in the attachment looked pretty odd, so I looked at the srpm and pulled the patch you had in there. That one looks good (I've just looked, not tested). I would go ahead and submit it. This flaw was corrected in Fedora 14: chm2pdf-0.9.1-9.fc14 (FEDORA-2011-0454) and Fedora 13: chm2pdf-0.9.1-8.fc13 (FEDORA-2011-0467) |