Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Gentoo: 201310-17 Low Severity: Pmake Symlink Attack Advisory

gentoo
Calendar Grey October 28, 2013
Scroller Gentoo
Gentoo Security Advisory GLSA 201400-15 raises an alert regarding a medium severity vulnerability associated with improper handling of file permissions during the installation process.
pmake uses temporary files in an insecure manner, allowing for symlink attacks.

Summary

/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary files insecurely, with predictable names (/tmp/_depend[PID]), and without using $TMPDIR.

Resolution

All pmake users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/pmake-1.111.3.1"

References

[ 1 ] CVE-2011-1920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1920

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201310-17
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
low
Lowest
Low
Medium
High
Critical

Severity: Low
Title: pmake: Insecure temporary file usage
Date: October 28, 2013
Bugs: #367891
ID: 201310-17

Synopsis

pmake uses temporary files in an insecure manner, allowing for symlink attacks.

Background

pmake is Debian's version of NetBSD's make, a tool to build programs in parallel.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-devel/pmake < 1.111.3.1 >= 1.111.3.1

Impact

===== The make include files allow local users to overwrite arbitrary files via a symlink attack.

Workaround

There is no known workaround at this time.