Bug 121924

Summary: graphviz: insecure temp file handling
Product: [openSUSE] SUSE Linux 10.1 Reporter: Thomas Biege <thomas>
Component: OtherAssignee: Andreas Gruenbacher <agruen>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-4803: CVSS v2 Base Score: 3.6 (AV:L/AC:L/Au:N/C:N/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-10-10 09:58:53 UTC 
Hello,
fixing it in STABLE/SLES10 will suffice.

- --------------------------------------------------------------------------
Debian Security Advisory DSA 857-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 10th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : graphviz
Vulnerability  : insecure temporary file
Problem type   : local
Debian-specific: no
CVE ID         : CAN-2005-2965

Javier Fernández-Sanguino Peña discovered insecure tmporary file
creation in graphviz, a rich set of graph drawing tools, that can be
exploited to overwrite arbitrary files by a local attacker.

For the old stable distribution (woody) this problem probably persists
but the package is non-free.

For the stable distribution (sarge) this problem has been fixed in
version 2.2.1-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.2.1-1sarge1.

We recommend that you upgrade your graphviz package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

   
http://security.debian.org/pool/updates/main/g/graphviz/graphviz_2.2.1-1sarge1.dsc
      Size/MD5 checksum:      788 0076de753bc31e2a61858db7275893c4
   
http://security.debian.org/pool/updates/main/g/graphviz/graphviz_2.2.1-1sarge1.diff.gz
      Size/MD5 checksum:   360551 19b83dc92ffc1628b17ad195c2c4c7ee
   
http://security.debian.org/pool/updates/main/g/graphviz/graphviz_2.2.1.orig.tar.gz
      Size/MD5 checksum:  4371071 bb46d8ada39436cb672922f0c8b1339

etc.
Comment 1 Andreas Gruenbacher 2005-10-17 12:02:00 UTC 
I've submitted a fixed package for 10.0 just in case. STABLE is not affected anymore.
Comment 2 Andreas Gruenbacher 2005-10-17 12:02:34 UTC 
Fixed.
Comment 3 Marcus Meissner 2006-05-19 08:55:50 UTC 
======================================================
Name: CVE-2005-4803
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4803   

graphviz before 2.2.1 allows local users to overwrite arbitrary files
via a symlink attack on temporary files.  NOTE: this issue was 
originally associated with a different CVE identifier, CVE-2005-2965,
which had been used for multiple different issues.  This is the
correct identifier.
Comment 4 Thomas Biege 2009-10-13 21:40:32 UTC 
CVE-2005-4803: CVSS v2 Base Score: 3.6 (AV:L/AC:L/Au:N/C:N/I:P/A:P)