Summary: | app-benchmarks/lmbench<=3 symlink attacks (CVE-2008-4968) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | dragonheart |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4968 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 235770 |
Description
Stefan Behte (RETIRED)
2008-11-07 22:13:42 UTC
Confirmed for our in-tree version. http://dev.gentoo.org/~rbu/security/debiantemp/lmbench *ping* Larry wrote: I would close that out as a silly bug. You shouldn't be running lmbench as root. [...] If you (or anyone) wants to submit a patch I'm happy to review and apply it. lmbench is open source, that's the whole point. I'm busy with my day job, when I don't have that problem maybe I'll be more interested in silly security reports. [...] a closer look at all /tmp usage shows there are more possibilities than listed here. In light of the almost dead upstream I'm in favour of a purge of the package. Alternate packages exist in the app-benchmarks category. Objections anyone (last rites email coming soon)? package removed. (dev-announce was sent 2009-02-07) We need to vote: I vote YES. YES, filed. GLSA 200909-10 |