tkman in tkman 2.2 allows local users to overwrite arbitrary files via a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary file.
There does not appear to be an upstream fix for this at this time.
Debian has a patch for this that uses mktemp for tempfile generation. ( http://patch-tracking.debian.net/patch/series/view/tkman/2.2-4/07_use-mktemp )
I have also contacted the upstream developer who apparently had not heard of this.
Created attachment 174370 [details]
Created attachment 174372 [details, diff]
Rename previously applied gentoo patch
Created attachment 174374 [details, diff]
Debian's patch to use mktemp
Looking through the source, it appears that tkman-2.1-r1, current portage stable, is also affected by this.
Created attachment 174379 [details]
Doh, forgot to re-keyword after testing on my system (added back ~x86).
The author wants to solve this problem differently, so I would also expect a newer version to pop-up at some point, possibly.
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506496
+*tkman-2.2-r1 (13 Jul 2009)
+ 13 Jul 2009; Robert Buchholz <firstname.lastname@example.org>
+ +files/tkman-CVE-2008-5137.diff, files/tkman.desktop, tkman-2.1-r1.ebuild,
+ -tkman-2.2.ebuild, +tkman-2.2-r1.ebuild:
+ Security bump: Fix temporary file handling, CVE-2008-5137, bug #247540. Thanks
+ to Steven Susbauer.
Arches, please test and mark stable:
Target keywords : "ppc sparc x86"
ppc stable. closing since we're last
glsa? hmm.. probably
Not an example script here from what it seems, so YES. Request filed.