Bug 121924 - graphviz: insecure temp file handling
Summary: graphviz: insecure temp file handling
Status: RESOLVED FIXED
Alias: None
Product: SUSE Linux 10.1
Classification: openSUSE
Component: Other (show other bugs)
Version: unspecified
Hardware: Other All
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Andreas Gruenbacher
QA Contact: E-mail List
URL:
Whiteboard: CVE-2005-4803: CVSS v2 Base Score: 3....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-10 09:58 UTC by Thomas Biege
Modified: 2009-10-13 21:40 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-10-10 09:58:53 UTC 
Hello,
fixing it in STABLE/SLES10 will suffice.

- --------------------------------------------------------------------------
Debian Security Advisory DSA 857-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 10th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : graphviz
Vulnerability  : insecure temporary file
Problem type   : local
Debian-specific: no
CVE ID         : CAN-2005-2965

Javier Fernández-Sanguino Peña discovered insecure tmporary file
creation in graphviz, a rich set of graph drawing tools, that can be
exploited to overwrite arbitrary files by a local attacker.

For the old stable distribution (woody) this problem probably persists
but the package is non-free.

For the stable distribution (sarge) this problem has been fixed in
version 2.2.1-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.2.1-1sarge1.

We recommend that you upgrade your graphviz package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

   
http://security.debian.org/pool/updates/main/g/graphviz/graphviz_2.2.1-1sarge1.dsc
      Size/MD5 checksum:      788 0076de753bc31e2a61858db7275893c4
   
http://security.debian.org/pool/updates/main/g/graphviz/graphviz_2.2.1-1sarge1.diff.gz
      Size/MD5 checksum:   360551 19b83dc92ffc1628b17ad195c2c4c7ee
   
http://security.debian.org/pool/updates/main/g/graphviz/graphviz_2.2.1.orig.tar.gz
      Size/MD5 checksum:  4371071 bb46d8ada39436cb672922f0c8b1339

etc.
Comment 1 Andreas Gruenbacher 2005-10-17 12:02:00 UTC 
I've submitted a fixed package for 10.0 just in case. STABLE is not affected anymore.
Comment 2 Andreas Gruenbacher 2005-10-17 12:02:34 UTC 
Fixed.
Comment 3 Marcus Meissner 2006-05-19 08:55:50 UTC 
======================================================
Name: CVE-2005-4803
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4803   

graphviz before 2.2.1 allows local users to overwrite arbitrary files
via a symlink attack on temporary files.  NOTE: this issue was 
originally associated with a different CVE identifier, CVE-2005-2965,
which had been used for multiple different issues.  This is the
correct identifier.
Comment 4 Thomas Biege 2009-10-13 21:40:32 UTC 
CVE-2005-4803: CVSS v2 Base Score: 3.6 (AV:L/AC:L/Au:N/C:N/I:P/A:P)