GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Oct 07, 2007 10:26 pm Post subject: [ GLSA 200710-05 ] QGit: Insecure temporary file creation |
 |
|
Gentoo Linux Security Advisory
Title: QGit: Insecure temporary file creation (GLSA 200710-05)
Severity: normal
Exploitable: local
Date: October 07, 2007
Bug(s): #190697
ID: 200710-05
Synopsis
A vulnerability has been discovered in QGit allowing local users to overwrite arbitrary files and execute arbitrary code with another user's rights.
Background
QGit is a graphical interface to git repositories that allows you to browse revisions history, view patch content and changed files.
Affected Packages
Package: dev-util/qgit
Vulnerable: < 1.5.7
Unaffected: >= 1.5.7
Architectures: All supported architectures
Description
Raphael Marichez discovered that the DataLoader::doStart() method creates temporary files in an insecure manner and executes them.
Impact
A local attacker could perform a symlink attack, possibly overwriting files or executing arbitrary code with the rights of the user running QGit.
Workaround
There is no known workaround at this time.
Resolution
All QGit users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/qgit-1.5.7" |
References
CVE-2007-4631 |
|
News & Announcements
