Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as '/../'. In combination with an application that trusts the utmp or wtmp files, this could allow a local attacker the ability to overwrite privileged files using a symlink. Users should upgrade to this new version of utempter, which fixes this vulnerability. Reproducible: Always Steps to Reproduce: 1. 2. 3.
I'll look into this and try to get it updated today or tomorrow at the latest.
5.5.4 added into portage -- amd64 and arm people, please mark stable and let us know when you have.
arm stable ;)
Still waiting for amd64 to mark stable.
Done.
Thanks. This one is now ready for a GLSA
GLSA 200405-05