blob: 124b78c23cd320ea6834d80ab16e4d280e82d097 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200903-08">
<title>gEDA: Insecure temporary file creation</title>
An insecure temporary file usage has been reported in gEDA, allowing for
symlink attacks.
<product type="ebuild">geda</product>
<announced>March 07, 2009</announced>
<revised>March 07, 2009: 01</revised>
<package name="sci-electronics/geda" auto="yes" arch="*">
<unaffected range="ge">1.4.0-r1</unaffected>
<vulnerable range="lt">1.4.0-r1</vulnerable>
gEDA is an Electronic Design Automation tool used for electrical
circuit design.
Dmitry E. Oboukhov reported an insecure temporary file usage within the script.
<impact type="normal">
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application.
There is no known workaround at this time.
All gEDA users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=sci-electronics/geda-1.4.0-r1&quot;</code>
<uri link="">CVE-2008-5148</uri>
<metadata tag="requester" timestamp="Tue, 13 Jan 2009 17:58:50 +0000">
<metadata tag="submitter" timestamp="Thu, 12 Feb 2009 18:01:59 +0000">
<metadata tag="bugReady" timestamp="Thu, 12 Feb 2009 18:02:15 +0000">