Bug 568440 (CVE-2010-0118, CVE-2010-0119)

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0118 to
the following vulnerability:

Name: CVE-2010-0118
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0118
Assigned: 20100104
Reference: BUGTRAQ:20100222 Secunia Research: Bournal Insecure Temporary Files Security Issue
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/509685/100/0/threaded
Reference: MISC: http://secunia.com/secunia_research/2010-6/
Reference: BID:38353
Reference: URL: http://www.securityfocus.com/bid/38353
Reference: SECUNIA:38554
Reference: URL: http://secunia.com/advisories/38554

Bournal before 1.4.1 allows local users to overwrite arbitrary files
via a symlink attack on unspecified temporary files associated with a
--hack_the_gibson update check.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0119 to
the following vulnerability:

Name: CVE-2010-0119
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0119
Assigned: 20100104
Reference: BUGTRAQ:20100222 Secunia Research: Bournal ccrypt Information Disclosure Security Issue
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/509688/100/0/threaded
Reference: MISC: http://secunia.com/secunia_research/2010-7/
Reference: BID:38352
Reference: URL: http://www.securityfocus.com/bid/38352
Reference: SECUNIA:38723
Reference: URL: http://secunia.com/advisories/38723

Bournal before 1.4.1 on FreeBSD 8.0, when the -K option is used,
places a ccrypt key on the command line, which allows local users to
obtain sensitive information by listing the process and its arguments,
related to "echoing."


Current Fedora version is 1.3 and is vulnerable.  Please update to the latest 1.4.1 release to correct the above two vulnerabilities (CVE-2010-0119 indicates it is present due to a buggy ccrypt implementation on FreeBSD, so likely does not affect us at all, but noted for completeness).