Gentoo: GLSA-200804-09: am-utils: Insecure temporary file creation
Summary
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gentoo Linux Security Advisory GLSA 200804-09 https://security.gentoo.org/
Severity: Normal Title: am-utils: Insecure temporary file creation Date: April 10, 2008 Bugs: #210158 ID: 200804-09
Synopsis ======= am-utils creates temporary files insecurely allowing local users to overwrite arbitrary files via a symlink attack.
Background ========= am-utils is a collection of utilities for use with the Berkeley Automounter.
Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-fs/am-utils < 6.1.5 >= 6.1.5
========== Tavis Ormandy discovered that, when creating temporary files, the 'expn' utility does not check whether the file already exists.
Impact ===== A local attacker could exploit the vulnerability via a symlink attack to overwrite arbitrary files.
Workaround ========= There is no known workaround at this time.
Resolution ========= All am-utils users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-fs/am-utils-6.1.5"
References ========= [ 1 ] CVE-2008-1078 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1078
Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/200804-09
Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org/.
License ====== Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - iD8DBQFH/nY/uhJ+ozIKI5gRArfpAKCZ53ZEUZJA6a3qPX0Dlnn6SQyNKwCdHtj0 f1YXGG/CnRhI5f5WtWEIjlo=1SAy -----END PGP SIGNATURE-----
Resolution
References
Availability
Concerns
![Dist Gentoo](/images/distros/dist-gentoo.png)