Debian Bug report logs -
#633964
pacemaker: CVE-2011-5271: configure creates temp files insecurely
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Fri, 15 Jul 2011 13:12:02 UTC
Severity: important
Tags: security
Found in version pacemaker/1.0.11-1.2
Fixed in version pacemaker/1.1.6-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#633964; Package src:pacemaker.
(Fri, 15 Jul 2011 13:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jakub Wilk <jwilk@debian.org>:
New Bug report received and forwarded. Copy sent to jwilk@debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Fri, 15 Jul 2011 13:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pacemaker
Version: 1.0.11-1.2
Severity: important
Tags: security
The configure script creates temporary files in an insecure way:
| extract_header_define() {
| AC_MSG_CHECKING(for $2 in $1)
| Cfile=/tmp/extract_define.$2.${$}
| printf "#include <stdio.h>\n" > ${Cfile}.c
| printf "#include <%s>\n" $1 >> ${Cfile}.c
| printf "int main(int argc, char **argv) { printf(\"%%s\", %s); return 0; }\n" $2 >> ${Cfile}.c
| $CC $CFLAGS ${Cfile}.c -o ${Cfile}
| value=`${Cfile}`
| AC_MSG_RESULT($value)
| printf $value
| rm -f ${Cfile}.c ${Cfile}
| }
--
Jakub Wilk
Changed Bug title to 'pacemaker: CVE-2011-5271: configure creates temp files insecurely' from 'pacemaker: configure creates temp files insecurely'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 11 Feb 2014 06:21:05 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 27 Feb 2014 18:27:14 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Thu, 27 Feb 2014 18:27:14 GMT) (full text, mbox, link).
Message #12 received at 633964-done@bugs.debian.org (full text, mbox, reply):
Source: pacemaker
Source-Version: 1.1.6-1
Hi,
On Fri, Jul 15, 2011 at 03:08:56PM +0200, Jakub Wilk wrote:
> Source: pacemaker
> Version: 1.0.11-1.2
> Severity: important
> Tags: security
>
> The configure script creates temporary files in an insecure way:
> | extract_header_define() {
> | AC_MSG_CHECKING(for $2 in $1)
> | Cfile=/tmp/extract_define.$2.${$}
> | printf "#include <stdio.h>\n" > ${Cfile}.c
> | printf "#include <%s>\n" $1 >> ${Cfile}.c
> | printf "int main(int argc, char **argv) { printf(\"%%s\", %s); return 0; }\n" $2 >> ${Cfile}.c
> | $CC $CFLAGS ${Cfile}.c -o ${Cfile}
> | value=`${Cfile}`
> | AC_MSG_RESULT($value)
> | printf $value
> | rm -f ${Cfile}.c ${Cfile}
> | }
This is fixed with [1] in version 1.1.6-1, so closing the bug with
this version.
[1] https://github.com/ClusterLabs/pacemaker/commit/23ad834
Regards,
Salvatore
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 28 Mar 2014 07:37:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:48:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon