blob: f45cfe1f8719163c259d5f8ee6d27b2b6288ddcf [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200909-07">
<title>TkMan: Insecure temporary file usage</title>
An insecure temporary file usage has been reported in TkMan, allowing for
symlink attacks.
<product type="ebuild">tkman</product>
<announced>September 09, 2009</announced>
<revised>September 09, 2009: 01</revised>
<package name="app-text/tkman" auto="yes" arch="*">
<unaffected range="ge">2.2-r1</unaffected>
<vulnerable range="lt">2.2-r1</vulnerable>
TkMan is a graphical, hypertext manual page and Texinfo browser for
Dmitry E. Oboukhov reported that TkMan does not handle the
"/tmp/tkman#####" and "/tmp/ll" temporary files securely.
<impact type="normal">
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application.
There is no known workaround at this time.
All TkMan users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=app-text/tkman-2.2-r1&quot;</code>
<uri link="">CVE-2008-5137</uri>
<metadata tag="requester" timestamp="Sun, 19 Jul 2009 18:23:29 +0000">
<metadata tag="submitter" timestamp="Fri, 28 Aug 2009 07:32:36 +0000">
<metadata tag="bugReady" timestamp="Mon, 31 Aug 2009 03:37:41 +0000">