Bug 568440 - (CVE-2010-0118, CVE-2010-0119) CVE-2010-0118, CVE-2010-0119 bournal: updated version 1.4.1 fixes two vulnerabilities
CVE-2010-0118, CVE-2010-0119 bournal: updated version 1.4.1 fixes two vulnera...
Status: CLOSED RAWHIDE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://web.nvd.nist.gov/view/vuln/det...
impact=low,source=cve,reported=201002...
: Security
Depends On: 568442
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-25 13:20 EST by Vincent Danen
Modified: 2015-07-29 09:23 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-18 04:37:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-02-25 13:20:23 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0118 to
the following vulnerability:

Name: CVE-2010-0118
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0118
Assigned: 20100104
Reference: BUGTRAQ:20100222 Secunia Research: Bournal Insecure Temporary Files Security Issue
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/509685/100/0/threaded
Reference: MISC: http://secunia.com/secunia_research/2010-6/
Reference: BID:38353
Reference: URL: http://www.securityfocus.com/bid/38353
Reference: SECUNIA:38554
Reference: URL: http://secunia.com/advisories/38554

Bournal before 1.4.1 allows local users to overwrite arbitrary files
via a symlink attack on unspecified temporary files associated with a
--hack_the_gibson update check.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0119 to
the following vulnerability:

Name: CVE-2010-0119
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0119
Assigned: 20100104
Reference: BUGTRAQ:20100222 Secunia Research: Bournal ccrypt Information Disclosure Security Issue
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/509688/100/0/threaded
Reference: MISC: http://secunia.com/secunia_research/2010-7/
Reference: BID:38352
Reference: URL: http://www.securityfocus.com/bid/38352
Reference: SECUNIA:38723
Reference: URL: http://secunia.com/advisories/38723

Bournal before 1.4.1 on FreeBSD 8.0, when the -K option is used,
places a ccrypt key on the command line, which allows local users to
obtain sensitive information by listing the process and its arguments,
related to "echoing."


Current Fedora version is 1.3 and is vulnerable.  Please update to the latest 1.4.1 release to correct the above two vulnerabilities (CVE-2010-0119 indicates it is present due to a buggy ccrypt implementation on FreeBSD, so likely does not affect us at all, but noted for completeness).
Comment 2 Fedora Update System 2010-02-27 18:26:40 EST
bournal-1.4.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc12
Comment 3 Fedora Update System 2010-02-27 18:26:45 EST
bournal-1.4.1-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc13
Comment 4 Fedora Update System 2010-02-27 18:34:56 EST
bournal-1.4.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc11
Comment 5 Fedora Update System 2010-02-28 03:30:09 EST
bournal-1.4.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc11
Comment 6 Fedora Update System 2010-02-28 03:35:57 EST
bournal-1.4.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc12
Comment 7 Fedora Update System 2010-02-28 03:35:57 EST
bournal-1.4.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc11
Comment 8 Fedora Update System 2010-02-28 03:36:01 EST
bournal-1.4.1-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/bournal-1.4.1-1.fc13
Comment 9 Fedora Update System 2010-03-08 22:23:21 EST
bournal-1.4.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-03-08 22:24:04 EST
bournal-1.4.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2010-03-08 22:32:48 EST
bournal-1.4.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.