Bugzilla – Bug 62473
VUL-0: CVE-2004-0422: flim creates temp files in an unsecure manner
Last modified: 2021-10-14 14:55:03 UTC
Hello Karl, please have a look at: https://bugzilla.fedora.us/show_bug.cgi?id=1581 3. Problem description: The flim package includes a MIME library for GNU Emacs and XEmacs used by the wl mail package. Tatsuya Kinoshita discovered a vulnerability in flim, an emacs library for working with Internet messages. Temporary files were being created without taking adequate precautions, and therefore a local user could potentially overwrite files with the privileges of the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0422 to this issue. Users of flim are advised to upgrade to this updated package, which contains patches correcting these issues.
<!-- SBZ_reproduce --> -
According to flim.changes this problem is already fixed: ------------------------------------------------------------------- Mon May 24 17:35:15 CEST 2004 - ke@suse.de - Apply security patch provided by Matt Zimmerman to fix insecure temporary file [DSA-500-1 / CAN-2004-0422]. ------------------------------------------------------------------- Nevertheless I'll take a closer look and update the package for 9.3 - is this okay?
Yes, it is ok. The probability is high that the Fedora folks are a bit behind...
Fedora applies the same patch (provided by Debian).
------------------------------------------------------------------- Thu Oct 21 11:16:58 CEST 2004 - ke@suse.de - Update to version 1.14.7; remove obsolete security patch [#47473]. -------------------------------------------------------------------
CVE-2004-0422: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)