pkg/47360: textproc/isearch insecure temporary files

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/47360: textproc/isearch insecure temporary files
From: dholland%NetBSD.org@localhost
Date: Fri, 21 Dec 2012 10:40:01 +0000 (UTC)

>Number:         47360
>Category:       pkg
>Synopsis:       textproc/isearch insecure temporary files
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Dec 21 10:40:01 +0000 2012
>Originator:     David A. Holland
>Release:        pkgsrc 20121220
>Organization:
>Environment:
n/a
>Description:

The isearch package (textproc/isearch) uses the tempnam() function in
three different places to choose the name of a temporary file it
writes later on into a publicly-writable area (/tmp). Needless to say,
this is insecure.

>How-To-Repeat:

Observe the linker warnings, search the source.

>Fix:

Update to at least isearch-1.47.01nb1, or take the relevant portions
of these patches:

   patches/patch-doctype_anzmeta.cxx
   patches/patch-doctype_fgdc.cxx
   patches/patch-src_marc.cxx

Prev by Date: Re: pkg/47352 (textproc/dbtoepub distinfo (and maybe more) needs updating)
Next by Date: Re: pkg/47360 (textproc/isearch insecure temporary files)
Previous by Thread: Re: pkg/47352 (textproc/dbtoepub distinfo (and maybe more) needs updating)
Next by Thread: Re: pkg/47360: textproc/isearch insecure temporary files
Indexes:

Home | Main Index | Thread Index | Old Index