[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200710-10.xml - gentoo-commits

From:	"Raphael Marichez (falco)" <falco@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200710-10.xml
Date:	Fri, 12 Oct 2007 20:54:46
Message-Id:	`E1IgRNG-0000se-Uw@stork.gentoo.org`

1

falco       07/10/12 20:44:46

2

3

  Added:                glsa-200710-10.xml

4

  Log:

5

  GLSA 200710-10

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-200710-10.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200710-10.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200710-10.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-200710-10.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="200710-10">

21

  <title>SKK Tools: Insecure temporary file creation</title>

22

  <synopsis>

23

    SKK insecurely creates temporary files.

24

  </synopsis>

25

  <product type="ebuild">skktools</product>

26

  <announced>October 12, 2007</announced>

27

  <revised>October 12, 2007: 01</revised>

28

  <bug>193121</bug>

29

  <access>local</access>

30

  <affected>

31

    <package name="app-i18n/skktools" auto="yes" arch="*">

32

      <unaffected range="ge">1.2-r1</unaffected>

33

      <vulnerable range="lt">1.2-r1</vulnerable>

34

    </package>

35

  </affected>

36

  <background>

37

<p>

38

    SKK is a Japanese input method for Emacs.

39

    </p>

40

  </background>

41

  <description>

42

<p>

43

    skkdic-expr.c insecurely writes temporary files to a location in the

44

    form $TMPDIR/skkdic$PID.{pag,dir,db}, where $PID is the process ID.

45

    </p>

46

  </description>

47

  <impact type="normal">

48

<p>

49

    A local attacker could create symbolic links in the directory where the

50

    temporary files are written, pointing to a valid file somewhere on the

51

    filesystem that is writable by the user running the SKK software. When

52

    SKK writes the temporary file, the target valid file would then be

53

    overwritten with the contents of the SKK temporary file.

54

    </p>

55

  </impact>

56

  <workaround>

57

<p>

58

    There is no known workaround at this time.

59

    </p>

60

  </workaround>

61

  <resolution>

62

<p>

63

    All SKK Tools users should upgrade to the latest version:

64

    </p>

65

    <code>

66

    # emerge --sync

67

    # emerge --ask --oneshot --verbose &quot;&gt;=app-i18n/skktools-1.2-r1&quot;</code>

68

  </resolution>

69

  <references>

70

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3916">CVE-2007-3916</uri>

71

  </references>

72

  <metadata tag="requester" timestamp="Thu, 20 Sep 2007 19:17:24 +0000">

73

p-y

74

  </metadata>

75

  <metadata tag="bugReady" timestamp="Thu, 20 Sep 2007 19:18:40 +0000">

76

p-y

77

  </metadata>

78

  <metadata tag="submitter" timestamp="Sun, 07 Oct 2007 20:45:18 +0000">

79

    aetius

80

  </metadata>

81

</glsa>

--

86

gentoo-commits@g.o mailing list

1	falco 07/10/12 20:44:46
2
3	Added: glsa-200710-10.xml
4	Log:
5	GLSA 200710-10
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-200710-10.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200710-10.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200710-10.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-200710-10.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="200710-10">
21	<title>SKK Tools: Insecure temporary file creation</title>
22	<synopsis>
23	SKK insecurely creates temporary files.
24	</synopsis>
25	<product type="ebuild">skktools</product>
26	<announced>October 12, 2007</announced>
27	<revised>October 12, 2007: 01</revised>
28	<bug>193121</bug>
29	<access>local</access>
30	<affected>
31	<package name="app-i18n/skktools" auto="yes" arch="*">
32	<unaffected range="ge">1.2-r1</unaffected>
33	<vulnerable range="lt">1.2-r1</vulnerable>
34	</package>
35	</affected>
36	<background>
37	<p>
38	SKK is a Japanese input method for Emacs.
39	</p>
40	</background>
41	<description>
42	<p>
43	skkdic-expr.c insecurely writes temporary files to a location in the
44	form $TMPDIR/skkdic$PID.{pag,dir,db}, where $PID is the process ID.
45	</p>
46	</description>
47	<impact type="normal">
48	<p>
49	A local attacker could create symbolic links in the directory where the
50	temporary files are written, pointing to a valid file somewhere on the
51	filesystem that is writable by the user running the SKK software. When
52	SKK writes the temporary file, the target valid file would then be
53	overwritten with the contents of the SKK temporary file.
54	</p>
55	</impact>
56	<workaround>
57	<p>
58	There is no known workaround at this time.
59	</p>
60	</workaround>
61	<resolution>
62	<p>
63	All SKK Tools users should upgrade to the latest version:
64	</p>
65	<code>
66	# emerge --sync
67	# emerge --ask --oneshot --verbose ">=app-i18n/skktools-1.2-r1"</code>
68	</resolution>
69	<references>
70	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3916">CVE-2007-3916</uri>
71	</references>
72	<metadata tag="requester" timestamp="Thu, 20 Sep 2007 19:17:24 +0000">
73	p-y
74	</metadata>
75	<metadata tag="bugReady" timestamp="Thu, 20 Sep 2007 19:18:40 +0000">
76	p-y
77	</metadata>
78	<metadata tag="submitter" timestamp="Sun, 07 Oct 2007 20:45:18 +0000">
79	aetius
80	</metadata>
81	</glsa>
82
83
84
85	--
86	gentoo-commits@g.o mailing list

Gentoo Archives: gentoo-commits