Description: Some vulnerabilities have been reported in FreeRADIUS, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The vulnerabilities are caused due to the "dialup_admin/bin/backup_radacct", "dialup_admin/bin/clean_radacct", "dialup_admin/bin/monthly_tot_stats", "dialup_admin/bin/tot_stats", and "dialup_admin/bin/truncate_radacct" scripts handling temporary files in an insecure manner. These can be exploited via symlink attacks to e.g. overwrite arbitrary files with escalated privileges. The vulnerabilities are reported in version 2.0.4. Other versions may also be affected. Solution: Restrict local access to trusted users only. Original Advisory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496389 http://uvw.ru/report.lenny.txt
Actually, the vulnerable Gentoo package is www-apps/freeradius-dialupadmin. Fixed in version 1.80 by applying the tmpfile.patch which is an improvement of the patch made by Pavol Rusnak (see http://bugs.freeradius.org/show_bug.cgi?id=605). Since this package don't have stable keywords, there is no need to involve arch teams in it.
Thanks, populating whiteboard (not exactly sure about "2" though; it's a provilege escalation issue, but not to root, as I get it) and closing then.
