| <?xml version="1.0" encoding="utf-8"?> |
| <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> |
| |
| <glsa id="200407-01"> |
| <title>Esearch: Insecure temp file handling</title> |
| <synopsis> |
| The eupdatedb utility in esearch creates a file in /tmp without first |
| checking for symlinks. This makes it possible for any user to create |
| arbitrary files. |
| </synopsis> |
| <product type="ebuild">esearch</product> |
| <announced>July 01, 2004</announced> |
| <revised>May 22, 2006: 02</revised> |
| <bug>55424</bug> |
| <access>local</access> |
| <affected> |
| <package name="app-portage/esearch" auto="yes" arch="*"> |
| <unaffected range="ge">0.6.2</unaffected> |
| <vulnerable range="le">0.6.1</vulnerable> |
| </package> |
| </affected> |
| <background> |
| <p> |
| Esearch is a replacement for the Portage command "emerge search". It |
| uses an index to speed up searching of the Portage tree. |
| </p> |
| </background> |
| <description> |
| <p> |
| The eupdatedb utility uses a temporary file (/tmp/esearchdb.py.tmp) to |
| indicate that the eupdatedb process is running. When run, eupdatedb |
| checks to see if this file exists, but it does not check to see if it |
| is a broken symlink. In the event that the file is a broken symlink, |
| the script will create the file pointed to by the symlink, instead of |
| printing an error and exiting. |
| </p> |
| </description> |
| <impact type="normal"> |
| <p> |
| An attacker could create a symlink from /tmp/esearchdb.py.tmp to a |
| nonexistent file (such as /etc/nologin), and the file will be created |
| the next time esearchdb is run. |
| </p> |
| </impact> |
| <workaround> |
| <p> |
| There is no known workaround at this time. All users should upgrade to |
| the latest available version of esearch. |
| </p> |
| </workaround> |
| <resolution> |
| <p> |
| All users should upgrade to the latest available version of esearch, as |
| follows: |
| </p> |
| <code> |
| # emerge sync |
| |
| # emerge -pv ">=app-portage/esearch-0.6.2" |
| # emerge ">=app-portage/esearch-0.6.2"</code> |
| </resolution> |
| <references> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0655">CVE-2004-0655</uri> |
| </references> |
| <metadata tag="submitter"> |
| condordes |
| </metadata> |
| </glsa> |