tkman in tkman 2.2 allows local users to overwrite arbitrary files via a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary file. There does not appear to be an upstream fix for this at this time.
Debian has a patch for this that uses mktemp for tempfile generation. ( http://patch-tracking.debian.net/patch/series/view/tkman/2.2-4/07_use-mktemp ) I have also contacted the upstream developer who apparently had not heard of this.
Created attachment 174370 [details] Fixed ebuild
Created attachment 174372 [details, diff] Rename previously applied gentoo patch
Created attachment 174374 [details, diff] Debian's patch to use mktemp
Looking through the source, it appears that tkman-2.1-r1, current portage stable, is also affected by this.
Created attachment 174379 [details] Fixed ebuild Doh, forgot to re-keyword after testing on my system (added back ~x86).
The author wants to solve this problem differently, so I would also expect a newer version to pop-up at some point, possibly.
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506496
+*tkman-2.2-r1 (13 Jul 2009) + + 13 Jul 2009; Robert Buchholz <rbu@gentoo.org> + +files/tkman-CVE-2008-5137.diff, files/tkman.desktop, tkman-2.1-r1.ebuild, + -tkman-2.2.ebuild, +tkman-2.2-r1.ebuild: + Security bump: Fix temporary file handling, CVE-2008-5137, bug #247540. Thanks + to Steven Susbauer.
Arches, please test and mark stable: =app-text/tkman-2.2-r1 Target keywords : "ppc sparc x86"
Sparc stable.
x86 stable
ppc stable. closing since we're last
glsa? hmm.. probably
Not an example script here from what it seems, so YES. Request filed.
GLSA 200909-07
