Bug 136313 - CAN-2004-0969 temporary file vulnerabilities in groffer script
Summary: CAN-2004-0969 temporary file vulnerabilities in groffer script
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: groff
Version: 3.0
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Jindrich Novy
QA Contact: Mike McLean
URL:
Whiteboard: public=20040930,impact=low,reported=2...
Depends On:
Blocks: 132991
TreeView+ depends on / blocked
 
Reported: 2004-10-19 10:04 UTC by Mark J. Cox
Modified: 2013-07-02 23:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-21 10:14:04 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch for 1.19 which needs backporting (888 bytes, patch)
2004-10-19 10:05 UTC, Mark J. Cox
no flags Details | Diff

Description Mark J. Cox 2004-10-19 10:04:36 UTC
On September 10th 2004, Trustix shared some temporary file
vulnerabilities with vendor-sec.  After some refinement these were
made public on Sep30.  These are minor issues (impact: LOW) and
therefore should be fixed in future updates, but don't deserve their
own security advisory.

Temporary file vulnerability in groffer.  Patch attached, however the
patch is for groff-1.19 and the groffer script is very different in
the version shipped in RHEL3.  However there looks to be a similar
temporary file vulnerability that could be fixed in a similar way to
the patch.

Does not affect RHEL2.1 packages which do not contain this script.

Comment 1 Mark J. Cox 2004-10-19 10:05:25 UTC
Created attachment 105435 [details]
Patch for 1.19 which needs backporting

Comment 2 Josh Bressers 2005-06-02 19:29:04 UTC
Ping on this issue

Comment 3 Jindrich Novy 2005-06-03 10:34:32 UTC
Mark, Josh, I backpotred the patch and building the errata packages at the moment.

Comment 4 Mark J. Cox 2005-06-21 10:14:04 UTC
QA found that the groffer script won't run on RHEL3 due to needing packages we
don't ship.  Therefore this won't be fixed.


Note You need to log in before you can comment on or make changes to this bug.