GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Mon Oct 28, 2013 12:26 pm Post subject: [ GLSA 201310-17 ] pmake: Insecure temporary file usage |
|
|
Gentoo Linux Security Advisory
Title: pmake: Insecure temporary file usage (GLSA 201310-17)
Severity: low
Exploitable: local
Date: October 28, 2013
Bug(s): #367891
ID: 201310-17
Synopsis
pmake uses temporary files in an insecure manner, allowing for
symlink attacks.
Background
pmake is Debian’s version of NetBSD’s make, a tool to build programs
in parallel.
Affected Packages
Package: sys-devel/pmake
Vulnerable: < 1.111.3.1
Unaffected: >= 1.111.3.1
Architectures: All supported architectures
Description
/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary
files insecurely, with predictable names (/tmp/_depend[PID]), and
without using $TMPDIR.
Impact
The make include files allow local users to overwrite arbitrary files
via a symlink attack.
Workaround
There is no known workaround at this time.
Resolution
All pmake users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-devel/pmake-1.111.3.1"
|
References
CVE-2011-1920
Last edited by GLSA on Fri Mar 21, 2014 4:34 am; edited 4 times in total |
|