blob: 4d2ed89dc6d8deeabaed9c9aff963be8b238b868 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200909-10">
<title>LMBench: Insecure temporary file usage</title>
Multiple insecure temporary file usage issues have been reported in
LMBench, allowing for symlink attacks.
<product type="ebuild">lmbench</product>
<announced>September 09, 2009</announced>
<revised>September 09, 2009: 01</revised>
<package name="app-benchmarks/lmbench" auto="yes" arch="*">
<vulnerable range="le">3</vulnerable>
LMBench is a suite of simple, portable benchmarks for UNIX platforms.
Dmitry E. Oboukhov reported that the rccs and STUFF scripts do not
handle "/tmp/sdiff.#####" temporary files securely. NOTE: There might
be further occurances of insecure temporary file usage.
<impact type="normal">
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application.
There is no known workaround at this time.
LMBench has been removed from Portage. We recommend that users unmerge
# emerge --unmerge app-benchmarks/lmbench</code>
<uri link="">CVE-2008-4968</uri>
<metadata tag="requester" timestamp="Fri, 10 Jul 2009 10:54:15 +0000">
<metadata tag="submitter" timestamp="Fri, 28 Aug 2009 07:58:27 +0000">
<metadata tag="bugReady" timestamp="Mon, 31 Aug 2009 03:38:05 +0000">