Summary: | app-portage/gentoolkit / qpkg: symlink attack vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Florian Schilhabel (RETIRED) <ruth> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | carpaski, genone, jstubbs, karltk |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | A3 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 69147 | ||
Bug Blocks: |
Description
Florian Schilhabel (RETIRED)
2004-10-25 08:42:25 UTC
Genone, any hint on who specifically we should call to fix that ? After looking at this bug jstubbs noticed the same symlink problems exist for portage's handling of dispatch.conf. Jason is working on a patch for that now. Well, personally I'd like to just drop qpkg, but I guess we can't do that :( I'll fix it in CVS but I'm not sure if I can make a release at this moment (as CVS currently has some experimental stuff, read: is broken), I have to check for that and report back later. PS: I'm on the security alias, no need to CC me (unless you want to remove me from it). Hmm, apparently I can't access the bug when I'm not in the CC list even though I get all mails about it ... Where are we now ? Was a patch written / put in CVS ? added a patch for this and released pre8-r1 (arch) and pre10-r1 (~arch). Thx Marius Time for GLSA decision. Perhaps it should be combined with bug #69147? Yes, good idea. These are all symlink vulns in portage-related tools. GLSA 200411-13 |