blob: 69058ef87b0c8d7564c464e7e9263665a1eb68c0 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200812-14">
<title>aview: Insecure temporary file usage</title>
An insecure temporary file usage has been reported in aview, leading to
symlink attacks.
<product type="ebuild">aview</product>
<announced>December 14, 2008</announced>
<revised>December 14, 2008: 01</revised>
<package name="media-gfx/aview" auto="yes" arch="*">
<unaffected range="ge">1.3.0_rc1-r1</unaffected>
<vulnerable range="lt">1.3.0_rc1-r1</vulnerable>
aview is an ASCII image viewer and animation player.
Dmitry E. Oboukhov reported that aview uses the "/tmp/aview$$.pgm" file
in an insecure manner when processing files.
<impact type="normal">
A local attacker could perform symlink attacks to overwrite arbitrary
files on the system with the privileges of the user running the
There is no known workaround at this time.
All aview users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=media-gfx/aview-1.3.0_rc1-r1&quot;</code>
<uri link="">CVE-2008-4935</uri>
<metadata tag="requester" timestamp="Mon, 22 Sep 2008 12:39:57 +0000">
<metadata tag="submitter" timestamp="Tue, 21 Oct 2008 20:48:01 +0000">
<metadata tag="bugReady" timestamp="Thu, 11 Dec 2008 20:00:09 +0000">