It was found [1] that the installcheck-local.sh script of the syncevolution package creates temporary files in an insecure way. A local attacker could use these flaws to perform a symbolic link attack on the temporary files used by installcheck-local.sh. NOTE: The vulnerable installcheck-local.sh script is not shipped in the syncevolution RPM package, but is included in the source and may be called at compile time. This flaw is therefore only a concern for those rebuilding the SRPM package. Regular users of the syncevolution package are not affected. [1] http://seclists.org/oss-sec/2014/q1/138
Created syncevolution tracking bugs for this issue: Affects: fedora-all [bug 1057545]
Can you tell me if this has been fixed in 1.4.x releases?
Hi Peter, the following entry can be found in the ChangeLog for syncevolution-1.4.tar.gz [1], indicating that this issue has been fixed in the 1.4 release: ------------------------8<------------------------ 2014-02-15 Patrick Ohly <patrick.ohly> * src/syncevo/installcheck-local.sh: autotools: fix temp file vulnerability during compilation (CVE-2014-1639) ------------------------8<------------------------ The syncevolution 1.4 release notes also mention that this issue has been fixed; see [2]. [1] http://downloads.syncevolution.org/syncevolution/sources/syncevolution-1.4.tar.gz [2] https://syncevolution.org/blogs/pohly/2014/syncevolution-14-released
Brilliant, thanks. F-20 has had 1.4 for a while, I'll push 1.4.1 to both 20/19.
syncevolution-1.4.1-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
syncevolution-1.4.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Fixed in all current Fedora releases so closing