Bug 170484 - graphviz: CAN-2005-2961 (insecure temp file creation)
Summary: graphviz: CAN-2005-2961 (insecure temp file creation)
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: graphviz   
(Show other bugs)
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Oliver Falk
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-12 06:41 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 2.6-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-18 06:40:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Ville Skyttä 2005-10-12 06:41:08 UTC
http://seclists.org/lists/bugtraq/2005/Oct/0134.html  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2965 
 
Haven't checked whether devel is affected, but earlier distro versions appear 
to be.

Comment 1 John Ellson 2005-10-12 12:31:31 UTC
graphviz-2.4 and earlier contained this bug.  We were sent a patch for this on
August 8th and the fix is already in graphviz-2.6 on Fedora Extras.  

Comment 2 Ville Skyttä 2005-10-12 14:02:19 UTC
But Fedora Extras for FC3 has unpatched version 2.2, and FC4 unpatched 2.2.1, 
so they'll need the fix (or an upgrade to 2.6), no? 

Comment 3 Oliver Falk 2005-10-12 14:07:01 UTC
I just wanted to wait a few weeks with upgrading graphviz in older FE releases -
currently it's only commited, build for FEDevel. Until now I didn't receive any
bugs for graphviz 2.6 release in -devel, so I'll update it in fe3 and fe4 soon.

Comment 4 John Ellson 2005-10-12 14:16:09 UTC
I can generate a patch against graphviz-2.2.1 for just this security bug if you
like?

Comment 5 Oliver Falk 2005-10-17 08:08:17 UTC
Update for FC-* in progress... Merging with devel...
I'll not update RHL-*, as I'm not supporting such *old* distros. :-P

I would be interessted if there are any stats how many people do still use RHL-*
(especially together with FE)... However..

Comment 6 Ville Skyttä 2005-10-17 13:45:32 UTC
FYI, I believe it's not possible to get anything older than FC3 built with the 
FE build system.  If you insist, updates for earlier distro versions can be 
submitted to fedora.us. 

Comment 7 Oliver Falk 2005-10-17 14:26:12 UTC
Yes, Villea, you are correct, plague doesn't accept builds < FC3 and it does
make sense. :-)


Note You need to log in before you can comment on or make changes to this bug.