Bug 62473 (CVE-2004-0422)

Summary: VUL-0: CVE-2004-0422: flim creates temp files in an unsecure manner
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Karl Eichwalder <ke>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0422: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2004-10-21 15:06:05 UTC 
Hello Karl, 
please have a look at: 
	https://bugzilla.fedora.us/show_bug.cgi?id=1581 
 
3. Problem description: 
 
The flim package includes a MIME library for GNU Emacs and XEmacs used by 
the wl mail package. 
 
Tatsuya Kinoshita discovered a vulnerability in flim, an emacs library 
for working with Internet messages. Temporary files were being created 
without taking adequate precautions, and therefore a local user could 
potentially overwrite files with the privileges of the user running 
emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) 
has assigned the name CAN-2004-0422 to this issue. 
 
Users of flim are advised to upgrade to this updated package, which 
contains patches correcting these issues.
Comment 1 Thomas Biege 2004-10-21 15:06:05 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Karl Eichwalder 2004-10-21 16:50:41 UTC 
According to flim.changes this problem is already fixed:
-------------------------------------------------------------------
Mon May 24 17:35:15 CEST 2004 - ke@suse.de

- Apply security patch provided by Matt Zimmerman to fix insecure
  temporary file [DSA-500-1 / CAN-2004-0422].

-------------------------------------------------------------------

Nevertheless I'll take a closer look and update the package for 9.3 - is this okay?
Comment 3 Thomas Biege 2004-10-21 16:55:20 UTC 
Yes, it is ok. The probability is high that the Fedora folks are a bit 
behind...
Comment 4 Karl Eichwalder 2004-10-21 17:13:45 UTC 
Fedora applies the same patch (provided by Debian).
Comment 5 Karl Eichwalder 2004-10-21 17:40:39 UTC 
-------------------------------------------------------------------
Thu Oct 21 11:16:58 CEST 2004 - ke@suse.de

- Update to version 1.14.7; remove obsolete security patch [#47473].

-------------------------------------------------------------------
Comment 6 Thomas Biege 2009-10-13 19:54:17 UTC 
CVE-2004-0422: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)