Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200712-11 ] Portage: Information disclosure
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1581

PostPosted: Thu Dec 13, 2007 8:26 pm    Post subject: [ GLSA 200712-11 ] Portage: Information disclosure Reply with quote

Gentoo Linux Security Advisory

Title: Portage: Information disclosure (GLSA 200712-11)
Severity: normal
Exploitable: local
Date: December 13, 2007
Bug(s): #193589
ID: 200712-11

Synopsis

Portage may disclose sensitive information when updating configuration files.

Background

Portage is the default Gentoo package management system.

Affected Packages

Package: sys-apps/portage
Vulnerable: < 2.1.3.11
Unaffected: >= 2.1.3.11
Architectures: All supported architectures


Description

Mike Frysinger reported that the "etc-update" utility uses temporary files with the standard umask, which results in the files being world-readable when merging configuration files in a default setup.

Impact

A local attacker could access sensitive information when configuration files are being merged.

Workaround

There is no known workaround at this time.

Resolution

All Portage users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.3.11"


References

CVE-2007-6249
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum