Nicolas François wrote:
> > Hi,
> >
> > A security issue has been reported against your package po4a:
> >
> > > lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite
> > > arbitrary files via a symlink attack on the gettextization.failed.po
> > > temporary file.
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462
> > It seems the new upstream 0.32 fixes this.
> >
> > Please mention the CVE id in the changelog when fixing this.
> > Also please check whether stable and oldstable are vulneable and coordinate
> > with the security team.
>
> This was fixed in Debian's 0.31-1
>
> stable and oldstable are vulnerable.
>
> The fix for this bug is quite simple:
> replacing
> $pores->write("/tmp/gettextization.failed.po");
> by
> $pores->write("gettextization.failed.po");
>
> Security Team, shall I prepare packages with this fix and upload to
> stable-security and oldstable-security?
Which enduser tools use the affected code and which operations trigger the
vulnerability?
Given that there's apparently no regularly scheduled execution (e.g. in
comparison to a server cron job), that the .pm doesn't run with elevated
privileges, that po4a is exotic and apparently uncommon in a multi user
environment with shared /tmp I'm for now inclined to consider this not
grave enough for a DSA. (However, this depends on the information I'm
asking for)
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
