Take a look at src/eix-sync.in :
46 cp /var/cache/eix /tmp/eix.$$.sync || die "Error while copying cache-file to
a save location ."
diff-eix /tmp/eix.$$.sync || die "Error while diffing."
Auditors please confirm.
confirmed, but it's not a race condition, it's a second order insecure temporary
file handling issue.
can someone explain what's the problem with this?
A local attacker can watch the process list and determine what $$ is while the
"emerge --sync" part is running, then create a link at the corresponding tmpfile
to a system file, say /etc/passwd... and bring down the host.
The fact that this runs as root and may be part of a cron job makes things even
Doing a mktemp before the emerge --sync to safely create a random file that you
will use afterwards to hold your temporary contents would be much better.
ok, it's fixed with 0.3.0-r2 and also in upstream svn for 0.5.0
Arches please test 0.3.0-r2 and mark stable :
Target KEYWORDS="alpha amd64 ia64 ~mips ppc sparc x86"
stable on amd64
Stable on ppc.
This one is ready for GLSA decision. I vote YES.
I vote yes too. This is easy to exploit, and can be run as root as part of
The ppc keyword was never applied, apparently.
hansmi marked it ppc stable today, removing ppc.
ia64 don't forget to mark stable to benifit from the GLSA.