| Summary: | net-p2p/xmule: ebuilds using /tmp insecurely | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tavis Ormandy (RETIRED) <taviso> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | net-p2p |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 159503 | ||
oops, its p.masked, so marking INVALID. |
The xmule ebuilds instructs the configure script to look in /tmp/zlib. This is a security problem, and allows unprivileged users to subvert the build process. Please update the ebuilds to use ${T}/zlib or similar.