118182 – VUL-0: arc insecure temp file creation

Bug 118182 - VUL-0: arc insecure temp file creation

Summary: VUL-0: arc insecure temp file creation

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE Linux 10.1
Classification:	openSUSE
Component:	Other (show other bugs)
Version:	unspecified
Hardware:	Other All

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:	CVE-2005-2992: CVSS v2 Base Score: 2....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-09-21 08:11 UTC by Thomas Biege
Modified:	2009-10-13 21:35 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patch.CAN-2005-2945.arc (648 bytes, patch) 2005-09-21 14:10 UTC, Thomas Biege	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2005-09-21 08:11:10 UTC

Hello,
I have some bugs for you.

-----------------------------------------------------------------------
Two vulnerabilities have been discovered in the ARC archive program
under Unix.  The Common Vulnerabilities and Exposures project
identifies the following problems:

CAN-2005-2945

    Eric Romang discovered that the ARC archive program under Unix
    creates a temporary file with insecure permissions which may lead
    to an attacker stealing sensitive information.

CAN-2005-2992

    Joey Schulze discovered that the temporary file was created in an
    insecure fashion as well, leaving it open to a classic symlink
    attack.

Comment 1 Stanislav Brabec 2005-09-21 13:09:36 UTC

We dropped arc before 9.3. Should I create YOU update? Is there any patch?

Comment 2 Thomas Biege 2005-09-21 14:09:07 UTC

Good we dropped it.
I suspect that arc is used by other tools automatically (virii scanner, email
clients, ...), therefore an update for older versions would be good.

Comment 3 Thomas Biege 2005-09-21 14:10:02 UTC

Created attachment 50539 [details]
patch.CAN-2005-2945.arc

Comment 4 Stanislav Brabec 2005-09-21 15:03:58 UTC

Fixed package submitted for sles8, 9.0, 9.1 and 9.2.

Comment 5 Thomas Biege 2005-09-26 12:27:43 UTC

Maintenance-Tracker-2382

Comment 6 Thomas Biege 2005-09-26 12:37:39 UTC

/work/src/done/PATCHINFO/arc.patch.{box,maintained}

Comment 7 Thomas Biege 2005-09-27 12:49:07 UTC

packages released

Comment 8 Thomas Biege 2009-10-13 21:35:50 UTC

CVE-2005-2992: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)