Bug 17413

Summary: gummi new insecure tmp file issue CVE-2015-7758
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: RĂ©mi Verschelde <rverschelde>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/669408/
Whiteboard:
Source RPM: gummi-0.6.5-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-28 21:56:05 CET 
OpenSuSE has issued an advisory on December 27:
http://lists.opensuse.org/opensuse-updates/2015-12/msg00117.html

While technically this isn't a security issue for us due to the protected_symlinks feature in the kernel, it's a bug that should be fixed (at least in Cauldron).  The maintainer can decide whether to issue a fix for Mageia 5.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-02-25 19:20:26 CET 
Fixed in gummi-0.6.5-7.mga6.

Version: Cauldron => 5

Marja Van Waes 2016-04-27 17:53:36 CEST

CC: (none) => marja11
Component: RPM Packages => Security
QA Contact: (none) => security

David Walser 2016-04-27 18:29:56 CEST

Component: Security => RPM Packages
QA Contact: security => (none)

Comment 2 Marja Van Waes 2017-03-24 11:18:34 CET 
reassigning to the current gummi maintainer

Assignee: mitya => rverschelde

Comment 3 David Walser 2017-12-31 00:50:13 CET 
We don't need to fix this for Mageia 5.

Status: NEW => RESOLVED
Version: 5 => Cauldron
Resolution: (none) => FIXED