Joined: 12 May 2004
|Posted: Sat Jul 03, 2021 4:26 am Post subject: [ GLSA 202107-03 ] libqb
|Gentoo Linux Security Advisory
Title: libqb: Insecure temporary file (GLSA 202107-03)
An insecure temporary file usage has been reported in libqb
possibly allowing local code execution.
libqb is a library with the primary purpose of providing
high-performance, reusable features for client-server architecture, such
as logging, tracing, inter-process communication (IPC), and polling.
Vulnerable: < 1.0.5
Unaffected: >= 1.0.5
Architectures: All supported architectures
It was discovered that libqb used predictable filenames (under /dev/shm
and /tmp) without O_EXCL.
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application linked
There is no known workaround at this time.
All libqb users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/libqb-1.0.5"