Gentoo Archives: gentoo-commits

From: "Pierre-Yves Rofes (py)" <py@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200712-07.xml
Date: Sun, 09 Dec 2007 21:34:13
Message-Id: E1J1Tmp-0007ZE-Ue@stork.gentoo.org
1 py 07/12/09 21:34:07
2
3 Added: glsa-200712-07.xml
4 Log:
5 GLSA 200712-07
6
7 Revision Changes Path
8 1.1 xml/htdocs/security/en/glsa/glsa-200712-07.xml
9
10 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200712-07.xml?rev=1.1&view=markup
11 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200712-07.xml?rev=1.1&content-type=text/plain
12
13 Index: glsa-200712-07.xml
14 ===================================================================
15 <?xml version="1.0" encoding="utf-8"?>
16 <?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17 <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18 <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20 <glsa id="200712-07">
21 <title>Lookup: Insecure temporary file creation</title>
22 <synopsis>
23 Lookup uses temporary files in an insecure manner, allowing for a symlink
24 attack.
25 </synopsis>
26 <product type="ebuild">lookup</product>
27 <announced>December 09, 2007</announced>
28 <revised>December 09, 2007: 01</revised>
29 <bug>197306</bug>
30 <access>local</access>
31 <affected>
32 <package name="app-emacs/lookup" auto="yes" arch="*">
33 <unaffected range="ge">1.4.1</unaffected>
34 <vulnerable range="lt">1.4.1</vulnerable>
35 </package>
36 </affected>
37 <background>
38 <p>
39 Lookup is a search interface to books and dictionnaries for Emacs.
40 </p>
41 </background>
42 <description>
43 <p>
44 Tatsuya Kinoshita reported that the ndeb-binary function does not
45 handle temporay files correctly.
46 </p>
47 </description>
48 <impact type="normal">
49 <p>
50 A local attacker could use a symlink attack to overwrite files with the
51 privileges of the user running Lookup.
52 </p>
53 </impact>
54 <workaround>
55 <p>
56 There is no known workaround at this time.
57 </p>
58 </workaround>
59 <resolution>
60 <p>
61 All Lookup users should upgrade to the latest version:
62 </p>
63 <code>
64 # emerge --sync
65 # emerge --ask --oneshot --verbose &quot;&gt;=app-emacs/lookup-1.4.1&quot;</code>
66 </resolution>
67 <references>
68 <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0237">CVE-2007-0237</uri>
69 </references>
70 <metadata tag="requester" timestamp="Mon, 19 Nov 2007 22:00:43 +0000">
71 p-y
72 </metadata>
73 <metadata tag="bugReady" timestamp="Wed, 21 Nov 2007 00:09:14 +0000">
74 rbu
75 </metadata>
76 <metadata tag="submitter" timestamp="Sat, 08 Dec 2007 23:10:28 +0000">
77 p-y
78 </metadata>
79 </glsa>
80
81
82
83 --
84 gentoo-commits@g.o mailing list