Summary: | app-portage/eix <= 0.3.0-r1 insecure tmp file handling | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Romang <zataz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hollow |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Romang
2005-11-10 02:43:17 UTC
Auditors please confirm. confirmed, but it's not a race condition, it's a second order insecure temporary file handling issue. ccing maintainer. can someone explain what's the problem with this? A local attacker can watch the process list and determine what $$ is while the "emerge --sync" part is running, then create a link at the corresponding tmpfile to a system file, say /etc/passwd... and bring down the host. The fact that this runs as root and may be part of a cron job makes things even worse. Doing a mktemp before the emerge --sync to safely create a random file that you will use afterwards to hold your temporary contents would be much better. ok, it's fixed with 0.3.0-r2 and also in upstream svn for 0.5.0 Thx Benedikt, Arches please test 0.3.0-r2 and mark stable : Target KEYWORDS="alpha amd64 ia64 ~mips ppc sparc x86" sparc stable. x86 happy stable on amd64 alpha'lized Cheers, Ferdy Stable on ppc. This one is ready for GLSA decision. I vote YES. I vote yes too. This is easy to exploit, and can be run as root as part of normal operations. The ppc keyword was never applied, apparently. hansmi marked it ppc stable today, removing ppc. GLSA 200511-19 ia64 don't forget to mark stable to benifit from the GLSA. |