Bug 599621 (CVE-2010-2056) - CVE-2010-2056 gv: Insecure (predictable) temporary file use
Summary: CVE-2010-2056 gv: Insecure (predictable) temporary file use
Status: CLOSED ERRATA
Alias: CVE-2010-2056
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: impact=low,source=debian,reported=201...
Keywords: Security
Depends On: 599165
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-03 15:57 UTC by Jan Lieskovsky
Modified: 2010-07-15 16:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-15 16:02:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-06-03 15:57:22 UTC
Paul Szabo reported:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10

a deficiency in the way gv handled temporary file creation,
when used for opening Portable Document Format (PDF) files.
A local attacker could use this flaw to conduct symlink attacks,
potentially leading to denial of service (un-athorized overwrite
of file content).

References:
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=89;filename=004.diff;att=1;bug=583668
  [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583668#100

Just for the record from [2]:

<begin quote>

This bug was fixed upstream in 3.6.5.90-1, the first version
after lenny. :-(

Attached is a simplified version (without the configure changes
as Debian has mkstemp) that should fix this in lenny.

	Bernhard R. Link

<end quote>

and from [3]:

<begin quote>

Just for the records: In 3.6.5.90 (upstream) the configure-script was 
broken. Commit 73bb88a65dc1c6c9dc309b60b5454d9475cfccd9 repaired the 
defect (and changed other things):

--- a/gv/configure.ac
+++ b/gv/configure.ac
@@ -92,7 +92,7 @@ AC_CHECK_LIB(Xinerama, main, , , $X_LIBS)

 opt_mkstemp=false

-AC_CHECK_FUNCS([mkstemp],[opt_setenv_code=true],[opt_setenv_code=false])
+AC_CHECK_FUNCS([mkstemp],[opt_mkstemp=true],[opt_mkstemp=false])
 AM_CONDITIONAL(HAVE_MKSTEMP, test x$opt_mkstemp = xtrue)


So the bugfix was disfunctional until configure.ac has been fixed. :-(  
And even worse: Nobody noticed that a rather long time.

<end quote>

Comment 1 Jan Lieskovsky 2010-06-03 16:02:14 UTC
Relevant upstream changesets are:
  [4] http://git.savannah.gnu.org/cgit/gv.git/commit/?id=a17416c462e5b6c9cc7c98c5ea01f580152f2da9 (for change mentioned in [2])
  [5] http://git.savannah.gnu.org/cgit/gv.git/commit/?id=73bb88a65dc1c6c9dc309b60b5454d9475cfccd9 (for change mentioned in [3])

Comment 2 Jan Lieskovsky 2010-06-03 16:05:58 UTC
This issue affects the versions of the gv package, as shipped
with Fedora release of 11, 12, and 13 (they contains upstream
changeset from [4], but don't contain upstream changeset from
[5], which prevents [4] from proper function).

This issue affects the versions of the gv package, as shipped
within EPEL-4 and EPEL-5 repositories (versions here are missing
both [4], [5] changes).

Please fix.

Comment 3 Fedora Update System 2010-06-03 18:18:51 UTC
gv-3.6.91-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.fc11

Comment 4 Fedora Update System 2010-06-03 18:19:06 UTC
gv-3.6.91-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.el5

Comment 5 Fedora Update System 2010-06-03 18:19:17 UTC
gv-3.6.91-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.fc13

Comment 6 Fedora Update System 2010-06-03 18:19:29 UTC
gv-3.6.91-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.fc12

Comment 7 Fedora Update System 2010-06-03 18:19:46 UTC
gv-3.6.91-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.el4

Comment 8 Fedora Update System 2010-06-30 17:12:48 UTC
gv-3.7.1-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.el5

Comment 9 Fedora Update System 2010-06-30 17:13:15 UTC
gv-3.7.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.fc12

Comment 10 Fedora Update System 2010-06-30 17:13:38 UTC
gv-3.7.1-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.el4

Comment 11 Fedora Update System 2010-06-30 17:14:01 UTC
gv-3.7.1-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.fc13

Comment 12 Fedora Update System 2010-07-08 18:12:07 UTC
gv-3.7.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2010-07-08 18:25:23 UTC
gv-3.7.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2010-07-09 05:58:29 UTC
gv-3.7.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2010-07-09 06:00:54 UTC
gv-3.7.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.