Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

axiom: CVE-2014-1640: tmp file vulnerability

Related Vulnerabilities: CVE-2014-1640  

Source

Debian Bug report logs - #736358
axiom: CVE-2014-1640: tmp file vulnerability

version graph

Package: axiom; Maintainer for axiom is Camm Maguire <camm@debian.org>; Source for axiom is src:axiom (PTS, buildd, popcon).

Reported by: Helmut Grohne <helmut@subdivi.de>

Date: Wed, 22 Jan 2014 18:15:07 UTC

Severity: important

Tags: security

Found in version axiom/20100701-1.1

Fixed in version axiom/20120501-17

Done: Camm Maguire <camm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Camm Maguire <camm@debian.org>:
Bug#736358; Package axiom. (Wed, 22 Jan 2014 18:15:11 GMT) (full text, mbox, link).

Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to Camm Maguire <camm@debian.org>. (Wed, 22 Jan 2014 18:15:11 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: axiom: tmp file vulnerability
Date: Wed, 22 Jan 2014 19:13:17 +0100
Package: axiom
Version: 20100701-1.1
Severity: important
Tags: security

Dear Maintainer,

Your package contains a funny tmp file vulnerability.

$ grep 'tempfile).' -r .
./debian/axiom-test.sh:k=$(tempfile).input
$

This is wrong. It creates a secure tempfile, but doesn't use it and
instead generates a (now) predictable(!) name without opening it in a
safe (O_CREAT) way.

Helmut

Changed Bug title to 'axiom: CVE-2014-1640: tmp file vulnerability' from 'axiom: tmp file vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Jan 2014 05:36:08 GMT) (full text, mbox, link).

Reply sent to Camm Maguire <camm@debian.org>:
You have taken responsibility. (Wed, 16 Jul 2014 21:21:16 GMT) (full text, mbox, link).

Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (Wed, 16 Jul 2014 21:21:16 GMT) (full text, mbox, link).

Message #12 received at 736358-close@bugs.debian.org (full text, mbox, reply):

From: Camm Maguire <camm@debian.org>
To: 736358-close@bugs.debian.org
Subject: Bug#736358: fixed in axiom 20120501-17
Date: Wed, 16 Jul 2014 21:20:18 +0000
Source: axiom
Source-Version: 20120501-17

We believe that the bug you reported is fixed in the latest version of
axiom, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 736358@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Camm Maguire <camm@debian.org> (supplier of updated axiom package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Jul 2014 19:20:13 +0000
Source: axiom
Binary: axiom axiom-source axiom-test axiom-doc axiom-databases axiom-tex axiom-graphics axiom-graphics-data axiom-hypertex axiom-hypertex-data
Architecture: source all amd64
Version: 20120501-17
Distribution: unstable
Urgency: high
Maintainer: Camm Maguire <camm@debian.org>
Changed-By: Camm Maguire <camm@debian.org>
Description:
 axiom      - General purpose computer algebra system: main binary and modules
 axiom-databases - General purpose computer algebra system: generated text databases
 axiom-doc  - General purpose computer algebra system: documentation
 axiom-graphics - General purpose computer algebra system: graphics subsystem
 axiom-graphics-data - General purpose computer algebra system: graphics subsystem
 axiom-hypertex - General purpose computer algebra system: hypertex subsystem
 axiom-hypertex-data - General purpose computer algebra system: hypertex subsystem
 axiom-source - General purpose computer algebra system: source files
 axiom-test - General purpose computer algebra system: regression test inputs
 axiom-tex  - General purpose computer algebra system: style file for TeX
Closes: 708999 712844 736358 752221
Changes:
 axiom (20120501-17) unstable; urgency=high
 .
   * rebuild against latest gcl
   * Bug fix: "[axiom] Some sources are not included in your package",
     thanks to Bastien ROUCARIES (Closes: #752221).
   * Bug fix: "3D plots fail saying: &quot;The viewport manager could not
     read from a 3D viewport window&quot;", thanks to Jason Quinn (Closes:
     #712844).
   * Bug fix: "CVE-2014-1640: tmp file vulnerability", thanks to Helmut
     Grohne (Closes: #736358).
   * Bug fix: "ackermann.input from axiom-test breaks", thanks to Edi Meier
     (Closes: #708999).
Checksums-Sha1:
 7b4a001a27dc1d94ff650c6d3fd049baab0d84f8 1783 axiom_20120501-17.dsc
 352fc57a8ca93fb5002bda2df6c3de08ea021b6e 734996 axiom_20120501-17.debian.tar.xz
 c7ca4f38d26f2faca8bdddf6a437ef66a9cf4a9d 125034 axiom-source_20120501-17_all.deb
 d52a9f56393fde96c61229adcb184716840d0bfa 4341134 axiom-test_20120501-17_all.deb
 f2862cd4a47a95e28edc6314bfe00199efb87041 62231348 axiom-doc_20120501-17_all.deb
 d636cab15b83ea10fa8f443532152b606b7b1ab6 833672 axiom-databases_20120501-17_all.deb
 6b6dca030ef580d92e4ee001fec8a06349c4e4ab 134104 axiom-tex_20120501-17_all.deb
 9d1d401d8dfe450548e56fd2d55e2283ac274c75 1622504 axiom-graphics-data_20120501-17_all.deb
 abef1b6d0e0ab54e186f73c53d5fed5845d0c9b3 25717908 axiom-hypertex-data_20120501-17_all.deb
 6a42a454f14a4a058ce417c1525ec7422d702900 9863592 axiom_20120501-17_amd64.deb
 974f2da7def73f6ba8502dc31cf8abe5a851bed1 240794 axiom-graphics_20120501-17_amd64.deb
 ed6af5e2df129e5df3ad579019de1e362fa37661 208848 axiom-hypertex_20120501-17_amd64.deb
Checksums-Sha256:
 ba2f2090f0c573164a3993e1c2f65e61c41b3e6c18fc9361446d9e053dabede5 1783 axiom_20120501-17.dsc
 17b6779c382f99cb40d3495d50eb50dd7f098d8b5d16f803587fa03c3f9e50b0 734996 axiom_20120501-17.debian.tar.xz
 3c40c1512544e8004da9dd0df00a3e399194cd23a4a368fc0a7bcb9ab3a8a38f 125034 axiom-source_20120501-17_all.deb
 69dfdd9e00d9b59e1520b29691f7092664e971c18a0e623770f5ad50af9d1a3f 4341134 axiom-test_20120501-17_all.deb
 88c27ebb84f538e2ac09bddb8ca283ac3981ab514355781e8513bfe17b88b4f0 62231348 axiom-doc_20120501-17_all.deb
 b4c86c3d7a014798ec191f95bd4d1f77fe033a39f9896dc683b3d8855c6846ef 833672 axiom-databases_20120501-17_all.deb
 b93f155da42c9564fe10f8d76457eebc115a4d0d196ca5a4bd183b806ab37159 134104 axiom-tex_20120501-17_all.deb
 456f24b0afa4c04afb6f0d42cc9c13e5fe9191823a97a0eb62269c60f116b432 1622504 axiom-graphics-data_20120501-17_all.deb
 4a3d6551704871697b0fc0190f3cdb9140fa6ec30622daa0506fce5d57efb41c 25717908 axiom-hypertex-data_20120501-17_all.deb
 d5d9b500ed01c9e1a4b605df3d2bcbbe911d2583e84b80f01e5934d79d6c7b21 9863592 axiom_20120501-17_amd64.deb
 da7d7bb65ea11b20a01b527456c803d9925f08bbd4594b2a6269efaeacb4b10c 240794 axiom-graphics_20120501-17_amd64.deb
 3322c426baee0187cf9a4a44b6c4984dad78251755231f85862821c045862d94 208848 axiom-hypertex_20120501-17_amd64.deb
Files:
 ff4a43d6a301fd0085ef6445b99fb112 125034 math optional axiom-source_20120501-17_all.deb
 a981fe39e9a74d747a1b642430e04149 4341134 math optional axiom-test_20120501-17_all.deb
 84011c77670288688360ce65e0c8e4c7 62231348 doc optional axiom-doc_20120501-17_all.deb
 db719e3d4bad154818c0e37521996896 833672 math optional axiom-databases_20120501-17_all.deb
 dd1b3c6a5159f775475b1f27d90b0965 134104 math optional axiom-tex_20120501-17_all.deb
 443a844669037ab4f6a95745fc05ccd4 1622504 math optional axiom-graphics-data_20120501-17_all.deb
 41ed6ebfeeb01142e22cc637e98ba3bc 25717908 math optional axiom-hypertex-data_20120501-17_all.deb
 86f5244b95cd51b542820daaf8f94089 9863592 math optional axiom_20120501-17_amd64.deb
 bcdaadd36492ea75e83a12bf89300d9d 240794 math optional axiom-graphics_20120501-17_amd64.deb
 d4f8e9d0bd2b1f7398b1491cc6a6051c 208848 math optional axiom-hypertex_20120501-17_amd64.deb
 a687ce38d73ceeb8f17c04387ea36dae 1783 math optional axiom_20120501-17.dsc
 35e184b8240b4a119eaf0262699c100c 734996 math optional axiom_20120501-17.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPG4BQACgkQczG1wFfwRdwA2wCgjkY/lWiqRE4cTwMW1TkXVHbl
fqwAoJvQtBtsl9S2wegc6UevSibDdpHQ
=w0DV
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 14 Aug 2014 07:32:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:08:36 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook
Vulmon Logo
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started