A flaw was reported [1] in gambas where it created temporary directories insecurely, by creating /tmp/gambas.UID where UID is the user ID of the person running gambas. It does not check if this directory already exists or what the permissions on the directory are. This could allow a malicious user to remove, move, or manipulate the contents of the directory. This has been fixed upstream in r5464 [2] and r5438 [3]. The upstream report only refers to Gambas 3.x, and the code is quite different in Gambas 1.x (and presumably 2.x, didn't check), but Gambas 1.x does suffer from the same problem. [1] https://code.google.com/p/gambas/issues/detail?id=365 [2] http://sourceforge.net/p/gambas/code/5464/ [3] http://sourceforge.net/p/gambas/code/5438/
Created gambas tracking bugs for this issue Affects: fedora-all [bug 917755]
Created gambas2 tracking bugs for this issue Affects: fedora-all [bug 917754]
Created gambas3 tracking bugs for this issue Affects: fedora-all [bug 917753]
gambas3 is fixed as of 3.4.0, gambas1 and 2 are unmaintained upstream, so i retired those packages.
(In reply to comment #4) > gambas3 is fixed as of 3.4.0, gambas1 and 2 are unmaintained upstream, so i > retired those packages. Thanks, Tom. Does that mean they will be removed from Fedora? Or just perpetually left as-is?
We cannot remove packages from released branches, so they'll just be left to rot forever. No one is using these ancient things anyway, they were never installed in any default spins (or in anything as far as I know). If you want to take a crack at patching any vulnerabilities in them, I'll do rebuilds, but I'm not motivated at all to try (okay, so I looked at gambas2, but I can't even find any similar code paths).