Gentoo Archives: gentoo-announce

From: Luke Macken <lewk@g.o>
To: gentoo-announce@××××××××××××.org
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200504-06 ] sharutils: Insecure temporary file creation
Date: Wed, 06 Apr 2005 22:16:41
Message-Id: 20050406221621.GB24456@tomservo.hsd1.ma.comcast.net
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200504-06
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: sharutils: Insecure temporary file creation
9 Date: April 06, 2005
10 Bugs: #87939
11 ID: 200504-06
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The unshar utility is vulnerable to symlink attacks, potentially
19 allowing a local user to overwrite arbitrary files.
20
21 Background
22 ==========
23
24 sharutils is a collection of tools to deal with shar archives.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 app-arch/sharutils < 4.2.1-r11 >= 4.2.1-r11
33
34 Description
35 ===========
36
37 Joey Hess has discovered that the program unshar, which is a part of
38 sharutils, creates temporary files in a world-writable directory with
39 predictable names.
40
41 Impact
42 ======
43
44 A local attacker could create symbolic links in the temporary files
45 directory, pointing to a valid file somewhere on the filesystem. When
46 unshar is executed, this would result in the file being overwritten
47 with the rights of the user running the utility, which could be the
48 root user.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All sharutils users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=app-arch/sharutils-4.2.1-r11"
62
63 References
64 ==========
65
66 [ 1 ] Ubuntu Advisory
67 http://www.ubuntulinux.org/support/documentation/usn/usn-104-1
68
69 Availability
70 ============
71
72 This GLSA and any updates to it are available for viewing at
73 the Gentoo Security Website:
74
75 http://security.gentoo.org/glsa/glsa-200504-06.xml
76
77 Concerns?
78 =========
79
80 Security is a primary focus of Gentoo Linux and ensuring the
81 confidentiality and security of our users machines is of utmost
82 importance to us. Any security concerns should be addressed to
83 security@g.o or alternatively, you may file a bug at
84 http://bugs.gentoo.org.
85
86 License
87 =======
88
89 Copyright 2005 Gentoo Foundation, Inc; referenced text
90 belongs to its owner(s).
91
92 The contents of this document are licensed under the
93 Creative Commons - Attribution / Share Alike license.
94
95 http://creativecommons.org/licenses/by-sa/2.0