Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 706748 (CVE-2019-18932) - <net-analyzer/sarg-2.4.0: Insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector (CVE-2019-18932)
Summary: <net-analyzer/sarg-2.4.0: Insecure usage of /tmp/sarg allows privilege escala...
Alias: CVE-2019-18932
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+ cve]
Depends on:
Reported: 2020-01-27 20:08 UTC by Jeroen Roovers (RETIRED)
Modified: 2020-07-27 00:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2020-01-27 20:08:25 UTC
Avoid race condition when creating the temporary directory

If the temporary directory exists, its content must be checked and purged
after creating the temporary directory. Doing the reverse (as was the case
before) opens the door to a race condition where a malicious user replaces
the temporary directory just after its content was checked and deemed to be

Thanks to Matthias Gerstner for reporting this issue.
Comment 1 Larry the Git Cow gentoo-dev 2020-01-27 20:21:12 UTC
The bug has been referenced in the following commit(s):

commit f3ca4afb08ee300c6d4202717844f82533db9ed3
Author:     Jeroen Roovers <>
AuthorDate: 2020-01-27 20:20:37 +0000
Commit:     Jeroen Roovers <>
CommitDate: 2020-01-27 20:21:08 +0000

    net-analyzer/sarg: Version 2.4.0
    Package-Manager: Portage-2.3.85, Repoman-2.3.20
    Signed-off-by: Jeroen Roovers <>

 net-analyzer/sarg/Manifest          |  1 +
 net-analyzer/sarg/sarg-2.4.0.ebuild | 60 +++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 01:47:20 UTC
@maintainer(s), ok to cleanup?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 01:47:52 UTC
(In reply to sam_c (Security Padawan) from comment #2)
> @maintainer(s), ok to cleanup?

ignore me!

@maintainer(s), please advise if you are ready for stabilisation or call for stabilisation yourself.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 18:56:54 UTC
(changing title until stabilisation is called for).
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-02 22:01:05 UTC
@maintainer(s), please tell us if there is an issue preventing stabilisation, or we will begin.
Comment 6 Agostino Sarubbo gentoo-dev 2020-05-25 06:29:11 UTC
amd64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2020-05-25 09:44:50 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-04 06:42:33 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2020-06-20 01:21:11 UTC
GLSA opened.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:28:34 UTC
This issue was resolved and addressed in
 GLSA 202007-32 at
by GLSA coordinator Sam James (sam_c).