Description: "opentmpfiles through 0.3.1 allows local users to take ownership of arbitrary files because d entries are mishandled and allow a symlink attack." Notes: * This IS the opentmpfiles equivalent of bug 647796. * This isn't the same as bug 647752 which is mostly mitigated by the baselayout change (sysctl).
*** Bug 751427 has been marked as a duplicate of this bug. ***
More information: http://michael.orlitzky.com/cves/cve-2017-18925.xhtml
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9be32a62cbaaf4c629dee12d6264b80799e7cb25 commit 9be32a62cbaaf4c629dee12d6264b80799e7cb25 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-10-29 06:41:31 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-10-29 06:41:47 +0000 virtual/tmpfiles: add systemd-tmpfiles standalone provider Bug: https://bugs.gentoo.org/751415 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> virtual/tmpfiles/tmpfiles-0.ebuild | 1 + 1 file changed, 1 insertion(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0127bd04e1966c212b541d0a6e2fdcb9f5a7251e commit 0127bd04e1966c212b541d0a6e2fdcb9f5a7251e Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-10-29 06:39:57 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-10-29 06:41:46 +0000 sys-apps/systemd-tmpfiles: add ~amd64 ~arm64 ~ppc64 keywords Bug: https://bugs.gentoo.org/751415 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> sys-apps/systemd-tmpfiles/systemd-tmpfiles-246.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
I think that since systemd-tmpfiles uses a lot of systemd code, there is a chance it won't work for musl.
Due to the ongoing objections by some to anything related to systemd, may I suggest that the "masked" message be appended to note that even the authors of OpenTmpFiles recommend shifting to this package due to the lack of progress resolving the bug in their package? I was able to research and find the note in their "issues" section so I'll go ahead and unmask this particular systemd package. Thanks,
> I was able to research and find the note in their "issues" section so I'll > go ahead and unmask this particular systemd package. Make that "unmask on my personal system". I'm not going to commit anything to the overall Gentoo ecosystem...
Package list is empty or all packages have requested keywords.