Bug 170484 - graphviz: CAN-2005-2961 (insecure temp file creation)
graphviz: CAN-2005-2961 (insecure temp file creation)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: graphviz (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Oliver Falk
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-12 02:41 EDT by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 2.6-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-18 02:40:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2005-10-12 02:41:08 EDT
http://seclists.org/lists/bugtraq/2005/Oct/0134.html  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2965 
 
Haven't checked whether devel is affected, but earlier distro versions appear 
to be.
Comment 1 John Ellson 2005-10-12 08:31:31 EDT
graphviz-2.4 and earlier contained this bug.  We were sent a patch for this on
August 8th and the fix is already in graphviz-2.6 on Fedora Extras.  
Comment 2 Ville Skyttä 2005-10-12 10:02:19 EDT
But Fedora Extras for FC3 has unpatched version 2.2, and FC4 unpatched 2.2.1, 
so they'll need the fix (or an upgrade to 2.6), no? 
Comment 3 Oliver Falk 2005-10-12 10:07:01 EDT
I just wanted to wait a few weeks with upgrading graphviz in older FE releases -
currently it's only commited, build for FEDevel. Until now I didn't receive any
bugs for graphviz 2.6 release in -devel, so I'll update it in fe3 and fe4 soon.
Comment 4 John Ellson 2005-10-12 10:16:09 EDT
I can generate a patch against graphviz-2.2.1 for just this security bug if you
like?
Comment 5 Oliver Falk 2005-10-17 04:08:17 EDT
Update for FC-* in progress... Merging with devel...
I'll not update RHL-*, as I'm not supporting such *old* distros. :-P

I would be interessted if there are any stats how many people do still use RHL-*
(especially together with FE)... However..
Comment 6 Ville Skyttä 2005-10-17 09:45:32 EDT
FYI, I believe it's not possible to get anything older than FC3 built with the 
FE build system.  If you insist, updates for earlier distro versions can be 
submitted to fedora.us. 
Comment 7 Oliver Falk 2005-10-17 10:26:12 EDT
Yes, Villea, you are correct, plague doesn't accept builds < FC3 and it does
make sense. :-)

Note You need to log in before you can comment on or make changes to this bug.