Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200507-22 ] sandbox: Insecure temporary file handling
Date: Mon, 25 Jul 2005 18:48:07
Message-Id: 200507252006.23500.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200507-22
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Low
8 Title: sandbox: Insecure temporary file handling
9 Date: July 25, 2005
10 Bugs: #96782
11 ID: 200507-22
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The sandbox utility may create temporary files in an insecure manner.
19
20 Background
21 ==========
22
23 sandbox is a Gentoo Linux utility used by the Portage package
24 management system.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 sys-apps/sandbox < 1.2.11 >= 1.2.11
33
34 Description
35 ===========
36
37 The Gentoo Linux Security Audit Team discovered that the sandbox
38 utility was vulnerable to multiple TOCTOU (Time of Check, Time of Use)
39 file creation race conditions.
40
41 Impact
42 ======
43
44 Local users may be able to create or overwrite arbitrary files with the
45 permissions of the root user.
46
47 Workaround
48 ==========
49
50 There is no known workaround at this time.
51
52 Resolution
53 ==========
54
55 All sandbox users should upgrade to the latest version:
56
57 # emerge --sync
58 # emerge --ask --oneshot --verbose ">=sys-apps/sandbox-1.2.11"
59
60 Availability
61 ============
62
63 This GLSA and any updates to it are available for viewing at
64 the Gentoo Security Website:
65
66 http://security.gentoo.org/glsa/glsa-200507-22.xml
67
68 Concerns?
69 =========
70
71 Security is a primary focus of Gentoo Linux and ensuring the
72 confidentiality and security of our users machines is of utmost
73 importance to us. Any security concerns should be addressed to
74 security@g.o or alternatively, you may file a bug at
75 http://bugs.gentoo.org.
76
77 License
78 =======
79
80 Copyright 2005 Gentoo Foundation, Inc; referenced text
81 belongs to its owner(s).
82
83 The contents of this document are licensed under the
84 Creative Commons - Attribution / Share Alike license.
85
86 http://creativecommons.org/licenses/by-sa/2.0
Report Message
Find on MARC Find on Google Groups