Bug 875842 (CVE-2012-5530)
Summary: | CVE-2012-5530 pcp: Insecure temporary file use flaws | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | fche, jrusnack, mattn, mcermak, mfranc, mgoodwin, nathans, security-response-team, tdohnale, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-11-20 12:06:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 876533, 877983, 877984 | ||
Bug Blocks: | 876530 | ||
Attachments: |
Description
Jan Lieskovsky
2012-11-12 16:28:10 UTC
Preliminary embargo date for this issue has been set up to this Friday, 2012-11-16. Acknowledgements: Red Hat would like to thank SUSE Security Team for reporting this issue. SUSE Security Team acknowledges Thomas Biege of SUSE as the original issue reporter. Created attachment 644042 [details]
Preliminary form of proposed patch created by David Disseldorp of SUSE
Note: Might not be complete. Subsequent versions (if any) will be attached here too as soon as we have received them.
Created attachment 644747 [details]
Archive with updated patches
FYI - discussing the patches further with David (ddiss at suse - original fix author) we have identified one further fix and a regression in his original fixes. Both will be attached shortly. David has these too now, but perhaps they should be send out to any other distributors. With these, the PCP testsuite is looking in fairly good shape at this stage. cheers. -- Nathan Created attachment 646265 [details]
Fix a minor regression introduced in pcp(1) command from original tmpfile fixes
Created attachment 646266 [details]
Close possible races in scripted creation of pcp temp dirs by having packages create them
(In reply to comment #8) > FYI - discussing the patches further with David (ddiss at suse - original > fix author) we have identified one further fix and a regression in his > original fixes. Both will be attached shortly. David has these too now, > but perhaps they should be send out to any other distributors. Thank you for pointing out, Nathan. Do you possibly know from David if he has contacted the SUSE Security Team to re-send the patches? Or is Red Hat Security Response Team expected to do that? Can you clarify either of the options? > > With these, the PCP testsuite is looking in fairly good shape at this stage. > > cheers. > > -- > Nathan Thank you, Jan. David has definitely contacted the SUSE security folks - was just CC'd on their latest patchset and it includes these two fixes now (was also CC'd to members of the SUSE security team). AIUI there is no expectation that the Red Hat security team will need to propogate any patches (I will confirm that with them too). My current understanding is that SUSE will provide their full patch series, and I'll be doing the upstream merging (and a pcp-3.6.10 release) which includes all these patches, and also the devtoolset and Fedora updates on Monday (19th Nov). cheers. -- Nathan Created pcp tracking bugs for this issue Affects: fedora-all [bug 877983] Affects: epel-all [bug 877984] pcp-3.6.10-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. pcp-3.6.10-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. pcp-3.6.10-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. pcp-3.6.10-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. pcp-3.6.10-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |