Bug 568440 (CVE-2010-0118, CVE-2010-0119) - CVE-2010-0118, CVE-2010-0119 bournal: updated version 1.4.1 fixes two vulnerabilities
Summary: CVE-2010-0118, CVE-2010-0119 bournal: updated version 1.4.1 fixes two vulnera...
Keywords:
Status: CLOSED RAWHIDE
Alias: CVE-2010-0118, CVE-2010-0119
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: impact=low,source=cve,reported=201002...
Depends On: 568442
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-25 18:20 UTC by Vincent Danen
Modified: 2019-06-08 12:56 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-18 08:37:10 UTC


Attachments (Terms of Use)

Description Vincent Danen 2010-02-25 18:20:23 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0118 to
the following vulnerability:

Name: CVE-2010-0118
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0118
Assigned: 20100104
Reference: BUGTRAQ:20100222 Secunia Research: Bournal Insecure Temporary Files Security Issue
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/509685/100/0/threaded
Reference: MISC: http://secunia.com/secunia_research/2010-6/
Reference: BID:38353
Reference: URL: http://www.securityfocus.com/bid/38353
Reference: SECUNIA:38554
Reference: URL: http://secunia.com/advisories/38554

Bournal before 1.4.1 allows local users to overwrite arbitrary files
via a symlink attack on unspecified temporary files associated with a
--hack_the_gibson update check.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0119 to
the following vulnerability:

Name: CVE-2010-0119
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0119
Assigned: 20100104
Reference: BUGTRAQ:20100222 Secunia Research: Bournal ccrypt Information Disclosure Security Issue
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/509688/100/0/threaded
Reference: MISC: http://secunia.com/secunia_research/2010-7/
Reference: BID:38352
Reference: URL: http://www.securityfocus.com/bid/38352
Reference: SECUNIA:38723
Reference: URL: http://secunia.com/advisories/38723

Bournal before 1.4.1 on FreeBSD 8.0, when the -K option is used,
places a ccrypt key on the command line, which allows local users to
obtain sensitive information by listing the process and its arguments,
related to "echoing."


Current Fedora version is 1.3 and is vulnerable.  Please update to the latest 1.4.1 release to correct the above two vulnerabilities (CVE-2010-0119 indicates it is present due to a buggy ccrypt implementation on FreeBSD, so likely does not affect us at all, but noted for completeness).

Comment 2 Fedora Update System 2010-02-27 23:26:40 UTC
bournal-1.4.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc12

Comment 3 Fedora Update System 2010-02-27 23:26:45 UTC
bournal-1.4.1-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc13

Comment 4 Fedora Update System 2010-02-27 23:34:56 UTC
bournal-1.4.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc11

Comment 5 Fedora Update System 2010-02-28 08:30:09 UTC
bournal-1.4.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc11

Comment 6 Fedora Update System 2010-02-28 08:35:57 UTC
bournal-1.4.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc12

Comment 7 Fedora Update System 2010-02-28 08:35:57 UTC
bournal-1.4.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc11

Comment 8 Fedora Update System 2010-02-28 08:36:01 UTC
bournal-1.4.1-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc13

Comment 9 Fedora Update System 2010-03-09 03:23:21 UTC
bournal-1.4.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2010-03-09 03:24:04 UTC
bournal-1.4.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2010-03-09 03:32:48 UTC
bournal-1.4.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.