tags 496366 confirmed
thanks
Hi Charles,
> What is the relevance of this bug for the releasability of the package?
> Upstream is already at a much higher version number and I am not able to
> solve the prolem by myself.
I've confirmed that the bug is indeed well-present: the script in question
uses a number of files directly in /tmp with only the PID as a unique factor.
I've checked the latest upstream and that also has the exact same problem, so
I don't think it's really relevant that upstream is many versions ahead. If
they fix it, the fix can be applied to the current mafft package. I don't
know on why you cannot fix the bug yourself, but at least an upstream fix
would be easily backportable.
But applying the fix yourself would not be very invasive either. The script
makes extensive use of the system() call, so you could simply add system
calls to use essential 'mktemp' to create the files safely.
In the attachment is an example patch which solves the first occurrence. As
you can see its very simple.
If you want a pure Ruby solution it would probably be a bit more invasive, but
in that case http://ruby-stemp.rubyforge.org/ is available.
> Since the vulnerabiilty can only be exploited by other local users, and
> since mafft is a scientific software either used on personnal computers
> or on scientific workstations in trusted environments, can I ignore the
> bug for Lenny and work with Upsteam on a fix in the latest release?
In the security team, issuing a DSA for an issue that has all these properties
is normally not high on the priority list. However, that doesn't mean that
I'm happy with new packages entering stable that have known bugs of this
kind. So yes, I believe this bug should be resolved before lenny, especially
as I don't see the problem in doing so.
Thijs
--- mafft-homologs.tmpl.orig 2008-08-25 08:55:19.0 +0200
+++ mafft-homologs.tmpl 2008-08-25 08:58:25.0 +0200
@@ -34,8 +34,9 @@
require 'getopts'
-system( mafftpath + " --help > /tmp/_vf#{$$} 2>&1" )
-pfp = File.open( "/tmp/_vf#{$$}", 'r' )
+$tmpfile = system('mktemp')
+system( mafftpath + " --help > " + $tmpfile + " 2>&1" )
+pfp = File.open( $tmpfile, 'r' )
while pfp.gets
break if $_ =~ /MAFFT v/
end
@@ -360,4 +361,4 @@
puts outseq2[i].gsub( /.{1,60}/, "\\0\n" )
end
-system( "rm -rf /tmp/_if#{$$} /tmp/_vf#{$$} /tmp/_af#{$$} /tmp/_bf#{$$} /tmp/_pf#{$$} /tmp/_q#{$$} /tmp/_res#{$$} /tmp/_rid#{$$}" )
+system( "rm -rf /tmp/_if#{$$} $tmpfile /tmp/_af#{$$} /tmp/_bf#{$$} /tmp/_pf#{$$} /tmp/_q#{$$} /tmp/_res#{$$} /tmp/_rid#{$$}" )
pgpow58msMlar.pgp
Description: PGP signature
