Summary: | www-plugins/gnash: Symlink attack vulnerability in configure script (CVE-2010-4337) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chithanh, mrpouet |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=669851 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2011-01-15 05:10:53 UTC
Fixed in gnash-0.8.8.ebuild without revbump, as this does not affect users who have gnash already installed. (In reply to comment #1) > Fixed in gnash-0.8.8.ebuild without revbump, as this does not affect users who > have gnash already installed. > Thank you. GLSA Vote: No. CVE-2010-4337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4337): The configure script in gnash 0.8.8 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/gnash-configure-errors.$$, (2) /tmp/gnash-configure-warnings.$$, or (3) /tmp/gnash-configure-recommended.$$ files. Vote: NO. Very unlikely to be every exploited in real life. Closing noglsa. |