CVE-2019-12779 (https://nvd.nist.gov/vuln/detail/CVE-2019-12779): libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL.
The https://github.com/gentoo/gentoo/pull/13746.patch contains a bump to libqb-1.0.5 [PATCH 3/3].
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd35a6d8e2110d67918cb5cfff48d234ceb2c12e commit fd35a6d8e2110d67918cb5cfff48d234ceb2c12e Author: Wim Muskee <wimmuskee@gmail.com> AuthorDate: 2019-11-23 20:40:56 +0000 Commit: Alexys Jacob <ultrabug@gentoo.org> CommitDate: 2019-12-11 17:08:30 +0000 sys-cluster/libqb: version bump to 1.0.5 Bug: https://bugs.gentoo.org/699860 Signed-off-by: Wim Muskee <wimmuskee@gmail.com> Signed-off-by: Alexys Jacob <ultrabug@gentoo.org> sys-cluster/libqb/Manifest | 1 + sys-cluster/libqb/libqb-1.0.5.ebuild | 52 ++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e5e69bf829c1d7972ad069d415f24937417ffa4 commit 7e5e69bf829c1d7972ad069d415f24937417ffa4 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2020-01-02 21:38:41 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2020-01-02 21:44:12 +0000 sys-cluster/libqb: 1.9.0 Bug: https://bugs.gentoo.org/704514 Bug: https://bugs.gentoo.org/699860 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-2.3.84, Repoman-2.3.20 sys-cluster/libqb/Manifest | 1 + sys-cluster/libqb/libqb-1.9.0.ebuild | 62 ++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+)
Please note that the link magic in libqb 1.0.5 causes link errors with dependees (see bug #704514) so some users may have a hard time getting off vulnerable libqb 1.0.1. There is 1.0.9 in tree now, I hope that helps this path.
(In reply to Sebastian Pipping from comment #4) > [..] There is 1.0.9 in tree now, [..] 1.9.0, sorry.
(In reply to Sebastian Pipping from comment #5) > (In reply to Sebastian Pipping from comment #4) > > [..] There is 1.0.9 in tree now, [..] > > 1.9.0, sorry. Let's call this the stable candidate, and do it shortly unless somebody objects.
hppa stable
x86 stable
ppc64 stable
Unable to check for sanity: > no match for package: sys-cluster/libqb-1.9.0
Both amd64 and ppc have latest version stable.
Dropping bug 720910 which did not block stabilization. New GLSA request filed.
This issue was resolved and addressed in GLSA 202107-03 at https://security.gentoo.org/glsa/202107-03 by GLSA coordinator John Helmert III (ajak).