Bug 17413 - gummi new insecure tmp file issue CVE-2015-7758
Summary: gummi new insecure tmp file issue CVE-2015-7758
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Rémi Verschelde
QA Contact:
URL: http://lwn.net/Vulnerabilities/669408/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-28 21:56 CET by David Walser
Modified: 2017-12-31 00:50 CET (History)
1 user (show)

See Also:
Source RPM: gummi-0.6.5-5.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-12-28 21:56:05 CET 
OpenSuSE has issued an advisory on December 27:
http://lists.opensuse.org/opensuse-updates/2015-12/msg00117.html

While technically this isn't a security issue for us due to the protected_symlinks feature in the kernel, it's a bug that should be fixed (at least in Cauldron).  The maintainer can decide whether to issue a fix for Mageia 5.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-02-25 19:20:26 CET 
Fixed in gummi-0.6.5-7.mga6.

Version: Cauldron => 5

Marja Van Waes 2016-04-27 17:53:36 CEST

CC: (none) => marja11
Component: RPM Packages => Security
QA Contact: (none) => security

David Walser 2016-04-27 18:29:56 CEST

Component: Security => RPM Packages
QA Contact: security => (none)

Comment 2 Marja Van Waes 2017-03-24 11:18:34 CET 
reassigning to the current gummi maintainer

Assignee: mitya => rverschelde

Comment 3 David Walser 2017-12-31 00:50:13 CET 
We don't need to fix this for Mageia 5.

Status: NEW => RESOLVED
Version: 5 => Cauldron
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.