Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 247540 (CVE-2008-5137) - <app-text/tkman-2.2-r1 symlink attack (CVE-2008-5137)
Summary: <app-text/tkman-2.2-r1 symlink attack (CVE-2008-5137)
Alias: CVE-2008-5137
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Blocks: debian-tempfile
  Show dependency tree
Reported: 2008-11-19 04:41 UTC by stupendoussteve
Modified: 2009-09-09 13:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Fixed ebuild (tkman-2.2-r1.ebuild,819 bytes, text/plain)
2008-12-05 23:56 UTC, stupendoussteve
no flags Details
Rename previously applied gentoo patch (tkman-2.2-r1-gentoo.diff,2.27 KB, patch)
2008-12-05 23:56 UTC, stupendoussteve
no flags Details | Diff
Debian's patch to use mktemp (tkman-2.2-r1-use-mktemp.diff,11.37 KB, patch)
2008-12-05 23:57 UTC, stupendoussteve
no flags Details | Diff
Fixed ebuild (tkman-2.2-r1.ebuild,820 bytes, text/plain)
2008-12-06 02:08 UTC, stupendoussteve
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description stupendoussteve 2008-11-19 04:41:53 UTC
tkman in tkman 2.2 allows local users to overwrite arbitrary files via a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary file.

There does not appear to be an upstream fix for this at this time.
Comment 1 stupendoussteve 2008-12-05 14:07:06 UTC
Debian has a patch for this that uses mktemp for tempfile generation. ( )

I have also contacted the upstream developer who apparently had not heard of this.
Comment 2 stupendoussteve 2008-12-05 23:56:12 UTC
Created attachment 174370 [details]
Fixed ebuild
Comment 3 stupendoussteve 2008-12-05 23:56:48 UTC
Created attachment 174372 [details, diff]
Rename previously applied gentoo patch
Comment 4 stupendoussteve 2008-12-05 23:57:20 UTC
Created attachment 174374 [details, diff]
Debian's patch to use mktemp
Comment 5 stupendoussteve 2008-12-05 23:59:34 UTC
Looking through the source, it appears that tkman-2.1-r1, current portage stable, is also affected by this.
Comment 6 stupendoussteve 2008-12-06 02:08:06 UTC
Created attachment 174379 [details]
Fixed ebuild

Doh, forgot to re-keyword after testing on my system (added back ~x86).
Comment 7 stupendoussteve 2008-12-08 13:34:25 UTC
The author wants to solve this problem differently, so I would also expect a newer version to pop-up at some point, possibly.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-12-11 10:53:59 UTC
Debian bug:
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-07-13 00:49:30 UTC
+*tkman-2.2-r1 (13 Jul 2009)
+  13 Jul 2009; Robert Buchholz <>
+  +files/tkman-CVE-2008-5137.diff, files/tkman.desktop, tkman-2.1-r1.ebuild,
+  -tkman-2.2.ebuild, +tkman-2.2-r1.ebuild:
+  Security bump: Fix temporary file handling, CVE-2008-5137, bug #247540. Thanks
+  to Steven Susbauer.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-07-13 00:51:30 UTC
Arches, please test and mark stable:
Target keywords : "ppc sparc x86"
Comment 11 Ferris McCormick (RETIRED) gentoo-dev 2009-07-13 12:42:22 UTC
Sparc stable.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-14 20:24:59 UTC
x86 stable
Comment 13 nixnut (RETIRED) gentoo-dev 2009-07-19 17:48:05 UTC
ppc stable. closing since we're last
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-07-19 18:19:43 UTC
glsa? hmm.. probably
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-19 18:23:43 UTC
Not an example script here from what it seems, so YES. Request filed.
Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-09 13:34:32 UTC
GLSA 200909-07