Bug 599621 - (CVE-2010-2056) CVE-2010-2056 gv: Insecure (predictable) temporary file use
CVE-2010-2056 gv: Insecure (predictable) temporary file use
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.debian.org/cgi-bin/bugrep...
impact=low,source=debian,reported=201...
: Security
Depends On: 599165
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-03 11:57 EDT by Jan Lieskovsky
Modified: 2010-07-15 12:02 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-15 12:02:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-06-03 11:57:22 EDT
Paul Szabo reported:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10

a deficiency in the way gv handled temporary file creation,
when used for opening Portable Document Format (PDF) files.
A local attacker could use this flaw to conduct symlink attacks,
potentially leading to denial of service (un-athorized overwrite
of file content).

References:
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=89;filename=004.diff;att=1;bug=583668
  [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583668#100

Just for the record from [2]:

<begin quote>

This bug was fixed upstream in 3.6.5.90-1, the first version
after lenny. :-(

Attached is a simplified version (without the configure changes
as Debian has mkstemp) that should fix this in lenny.

	Bernhard R. Link

<end quote>

and from [3]:

<begin quote>

Just for the records: In 3.6.5.90 (upstream) the configure-script was 
broken. Commit 73bb88a65dc1c6c9dc309b60b5454d9475cfccd9 repaired the 
defect (and changed other things):

--- a/gv/configure.ac
+++ b/gv/configure.ac
@@ -92,7 +92,7 @@ AC_CHECK_LIB(Xinerama, main, , , $X_LIBS)

 opt_mkstemp=false

-AC_CHECK_FUNCS([mkstemp],[opt_setenv_code=true],[opt_setenv_code=false])
+AC_CHECK_FUNCS([mkstemp],[opt_mkstemp=true],[opt_mkstemp=false])
 AM_CONDITIONAL(HAVE_MKSTEMP, test x$opt_mkstemp = xtrue)


So the bugfix was disfunctional until configure.ac has been fixed. :-(  
And even worse: Nobody noticed that a rather long time.

<end quote>
Comment 1 Jan Lieskovsky 2010-06-03 12:02:14 EDT
Relevant upstream changesets are:
  [4] http://git.savannah.gnu.org/cgit/gv.git/commit/?id=a17416c462e5b6c9cc7c98c5ea01f580152f2da9 (for change mentioned in [2])
  [5] http://git.savannah.gnu.org/cgit/gv.git/commit/?id=73bb88a65dc1c6c9dc309b60b5454d9475cfccd9 (for change mentioned in [3])
Comment 2 Jan Lieskovsky 2010-06-03 12:05:58 EDT
This issue affects the versions of the gv package, as shipped
with Fedora release of 11, 12, and 13 (they contains upstream
changeset from [4], but don't contain upstream changeset from
[5], which prevents [4] from proper function).

This issue affects the versions of the gv package, as shipped
within EPEL-4 and EPEL-5 repositories (versions here are missing
both [4], [5] changes).

Please fix.
Comment 3 Fedora Update System 2010-06-03 14:18:51 EDT
gv-3.6.91-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.fc11
Comment 4 Fedora Update System 2010-06-03 14:19:06 EDT
gv-3.6.91-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.el5
Comment 5 Fedora Update System 2010-06-03 14:19:17 EDT
gv-3.6.91-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.fc13
Comment 6 Fedora Update System 2010-06-03 14:19:29 EDT
gv-3.6.91-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.fc12
Comment 7 Fedora Update System 2010-06-03 14:19:46 EDT
gv-3.6.91-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.el4
Comment 8 Fedora Update System 2010-06-30 13:12:48 EDT
gv-3.7.1-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.el5
Comment 9 Fedora Update System 2010-06-30 13:13:15 EDT
gv-3.7.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.fc12
Comment 10 Fedora Update System 2010-06-30 13:13:38 EDT
gv-3.7.1-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.el4
Comment 11 Fedora Update System 2010-06-30 13:14:01 EDT
gv-3.7.1-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.fc13
Comment 12 Fedora Update System 2010-07-08 14:12:07 EDT
gv-3.7.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2010-07-08 14:25:23 EDT
gv-3.7.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2010-07-09 01:58:29 EDT
gv-3.7.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2010-07-09 02:00:54 EDT
gv-3.7.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.