Joined: 12 May 2004
|Posted: Sun Aug 07, 2005 7:15 am Post subject: [ GLSA 200508-05 ] Heartbeat: Insecure temporary file creati
|Gentoo Linux Security Advisory
Title: Heartbeat: Insecure temporary file creation (GLSA 200508-05)
Date: August 07, 2005
Heartbeat is vulnerable to symlink attacks, potentially allowing a local
user to overwrite arbitrary files.
Heartbeat is a component of the High-Availability Linux project.
It it used to perform death-of-node detection, communications and
Vulnerable: < 1.2.3-r1
Unaffected: >= 1.2.3-r1
Architectures: All supported architectures
Eric Romang has discovered that Heartbeat insecurely creates
temporary files with predictable filenames.
A local attacker could create symbolic links in the temporary file
directory, pointing to a valid file somewhere on the filesystem. When a
vulnerable script is executed, this could lead to the file being
overwritten with the rights of the user running the affected
There is no known workaround at this time.
All Heartbeat users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/heartbeat-1.2.3-r1"
Last edited by GLSA on Wed Feb 15, 2012 4:20 am; edited 7 times in total