Joined: 12 May 2004
|Posted: Wed Jan 09, 2008 10:26 pm Post subject: [ GLSA 200801-03 ] Claws Mail: Insecure temporary file creat
|Gentoo Linux Security Advisory
Title: Claws Mail: Insecure temporary file creation (GLSA 200801-03)
Date: January 09, 2008
Claws Mail uses temporary files in an insecure manner, allowing for a symlink attack.
Claws Mail is a GTK based e-mail client.
Vulnerable: < 3.0.2-r1
Unaffected: >= 3.0.2-r1
Architectures: All supported architectures
Nico Golde from Debian reported that the sylprint.pl script that is part of the Claws Mail tools creates temporary files in an insecure manner.
A local attacker could exploit this vulnerability to conduct symlink attacks to overwrite files with the privileges of the user running Claws Mail.
There is no known workaround at this time.
All Claws Mail users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/claws-mail-3.0.2-r1"