GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Dec 13, 2007 8:26 pm Post subject: [ GLSA 200712-11 ] Portage: Information disclosure |
|
|
Gentoo Linux Security Advisory
Title: Portage: Information disclosure (GLSA 200712-11)
Severity: normal
Exploitable: local
Date: December 13, 2007
Bug(s): #193589
ID: 200712-11
Synopsis
Portage may disclose sensitive information when updating configuration files.
Background
Portage is the default Gentoo package management system.
Affected Packages
Package: sys-apps/portage
Vulnerable: < 2.1.3.11
Unaffected: >= 2.1.3.11
Architectures: All supported architectures
Description
Mike Frysinger reported that the "etc-update" utility uses temporary files with the standard umask, which results in the files being world-readable when merging configuration files in a default setup.
Impact
A local attacker could access sensitive information when configuration files are being merged.
Workaround
There is no known workaround at this time.
Resolution
All Portage users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.3.11" |
References
CVE-2007-6249 |
|