Bug 911557
Summary: | CVE-2013-0296 pigz: Temporary archive representation created with insecure permissions [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | pigz | Assignee: | Adel Gadllah <adel.gadllah> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 18 | CC: | adel.gadllah |
Target Milestone: | --- | Keywords: | Reopened, Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-26 02:46:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 911556 |
Description
Jan Lieskovsky
2013-02-15 11:04:08 UTC
Please use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. Please also ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=911556,911557 Adel, when closing some bug, could you provide at least explanation why? (no one said this is a big issue, but still an issue. Just closing the eyes the issue doesn't exist isn't the right thing to do). Thank you. (In reply to comment #2) > Adel, Hi, > when closing some bug, could you provide at least explanation why? > (no one said this is a big issue, but still an issue. Just closing the eyes > the issue doesn't exist isn't the right thing to do). I did provide one in the other bug https://bugzilla.redhat.com/show_bug.cgi?id=911556#c4 Basically that bug does not apply to 2.2.5 which we ship. (In reply to comment #2) > (no one said this is a big issue, but still an issue. Just closing the eyes > the issue doesn't exist isn't the right thing to do). Oh and I am not "closing my eyes" ... I have tried to reproduce it and couldn't. Couldn't find anything in pigz.c that would set such a mode and finally did an strace to verify. Then I have noticed that the report mentions 2.2.4, we do ship 2.2.5 though. So no I am not ignoring security bugs ... I am just closing a bug that is long fixed ;) (In reply to comment #3) > (In reply to comment #2) > > Adel, > > Hi, > > > when closing some bug, could you provide at least explanation why? > > (no one said this is a big issue, but still an issue. Just closing the eyes > > the issue doesn't exist isn't the right thing to do). > > I did provide one in the other bug > https://bugzilla.redhat.com/show_bug.cgi?id=911556#c4 > > Basically that bug does not apply to 2.2.5 which we ship. Yeah, I didn't notice that one before (delay in mails from Bugzilla). Sorry. Reopen this to get it fixed in Fedora-17 yet. Thank you for your help. pigz-2.2.5-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/pigz-2.2.5-1.fc17 Package pigz-2.2.5-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pigz-2.2.5-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-2589/pigz-2.2.5-1.fc17 then log in and leave karma (feedback). pigz-2.2.5-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |