ArchLinux: 201606-12: lib32-gnutls: arbitrary file overwrite
Summary
Setuid programs using GnuTLS could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available.
Resolution
Upgrade to 3.4.13-1.
# pacman -Syu "lib32-gnutls>=3.4.13-1"
The problem has been fixed upstream in version 3.4.13.
References
https://access.redhat.com/security/cve/CVE-2016-4456 http://gnutls.org/security.html#GNUTLS-SA-2016-1
Workaround
None.