62724 – (CVE-2004-0966) VUL-0: CVE-2004-0966: gettext: two tmp races

Bug 62724 (CVE-2004-0966) - VUL-0: CVE-2004-0966: gettext: two tmp races

Summary: VUL-0: CVE-2004-0966: gettext: two tmp races

Status:	RESOLVED FIXED
Duplicates (1):	154307 (view as bug list)

Alias:	CVE-2004-0966

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Mads Martin Joergensen
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2004-0966: CVSS v2 Base Score: 2....
Keywords:

Depends on:
Blocks:	65437
	Show dependency tree / graph

Clone This Bug

Reported:	2004-10-28 16:56 UTC by Thomas Biege
Modified:	2021-10-14 14:55 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
gettextize-sec-tmprace.diff (1.24 KB, patch) 2004-10-28 17:32 UTC, Thomas Biege	Details \| Diff
autopoint-sec-tmprace.diff (1.19 KB, patch) 2004-10-28 17:32 UTC, Thomas Biege	Details \| Diff
gettextize-sec-tmprace.diff (new) (1.24 KB, patch) 2004-10-28 17:33 UTC, Thomas Biege	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2004-10-28 16:56:02 UTC

Hello Philipp, 
I will attach two fixes for temp-file race conditions. 
 
It sufficient to fix them in all source trees and release them together with 
the next major update (or 9.3).

Comment 1 Thomas Biege 2004-10-28 16:56:02 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Thomas Biege 2004-10-28 16:56:57 UTC

=========================================================== 
Ubuntu Security Notice USN-5-1             October 27, 2004 
gettext vulnerabilities 
CAN-2004-0966 
=========================================================== 
 
A security issue affects the following Ubuntu releases: 
 
Ubuntu 4.10 (Warty Warthog) 
 
The following packages are affected: 
 
gettext 
 
The problem can be corrected by upgrading the affected package to 
version 0.14.1-2ubuntu0.1. In general, a standard system upgrade is 
sufficient to effect the necessary changes. 
 
Details follow: 
 
Recently, Trustix Secure Linux discovered some vulnerabilities in the 
gettext package. The programs "autopoint" and "gettextize" created 
temporary files in an insecure way, which allowed a symlink attack to 
create or overwrite arbitrary files with the privileges of the user 
invoking the program. 
...

Comment 3 Thomas Biege 2004-10-28 17:32:04 UTC

Created attachment 25551 [details]
gettextize-sec-tmprace.diff

Comment 4 Thomas Biege 2004-10-28 17:32:23 UTC

Created attachment 25552 [details]
autopoint-sec-tmprace.diff

Comment 5 Thomas Biege 2004-10-28 17:33:52 UTC

Created attachment 25553 [details]
gettextize-sec-tmprace.diff (new)

Comment 6 Mads Martin Joergensen 2004-11-25 18:15:02 UTC

Done.

Comment 7 Thomas Biege 2006-03-01 13:41:49 UTC

*** Bug 154307 has been marked as a duplicate of this bug. ***

Comment 8 Thomas Biege 2009-10-13 19:55:44 UTC

CVE-2004-0966: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)