Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 247986 (CVE-2008-5138)

Summary: sys-auth/pam_mount passwdehd insecure temporary file creation (CVE-2008-5138)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hanno
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 235770    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-11-21 16:51:22 UTC 
CVE-2008-5138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5138):
  passwdehd in libpam-mount 0.43 allows local users to overwrite
  arbitrary files via a symlink attack on a /tmp/passwdehd.#####
  temporary file.
Comment 1 Hanno Böck gentoo-dev 2008-11-21 18:36:35 UTC 
According to the author, this has changed in 0.49. I just removed the old 0.48 ebuild, but else we should be fine.