Gentoo Archives: gentoo-announce

From: aliz@gentoo.org (Daniel Ahlberg)
To: gentoo-announce@g.o, bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com
Subject: [gentoo-announce] GLSA: eroaster (200309-04)
Date: Tue, 02 Sep 2003 10:11:28
Message-Id: 20030902095749.A0AA49FBB3@noc.internal.fairytale.se
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200309-04
6 - - - ---------------------------------------------------------------------
7
8           PACKAGE : eroaster
9           SUMMARY : symlink attack
10              DATE : 2003-09-02 09:57 UTC
11           EXPLOIT : local
12 VERSIONS AFFECTED : <eroaster-2.1.0-r2
13     FIXED VERSION : >=eroaster-2.1.0-r2
14               CVE : CAN-2003-0656
15
16 - - - ---------------------------------------------------------------------
17
18 Previous eroaster versions allowwed local users to overwrite arbitrary
19 files via a symlink attack on a temporary file that is used as a lockfile.
20
21 SOLUTION
22
23 It is recommended that all Gentoo Linux users who are running
24 app-cdr/eroaster upgrade to eroaster-2.1.0-r2 as follows:
25
26 emerge sync
27 emerge eroaster
28 emerge clean
29
30 - - - ---------------------------------------------------------------------
31 aliz@g.o - GnuPG key is available at http://dev.gentoo.org/~aliz
32 - - - ---------------------------------------------------------------------
33 -----BEGIN PGP SIGNATURE-----
34 Version: GnuPG v1.2.3 (GNU/Linux)
35
36 iD8DBQE/VGmdfT7nyhUpoZMRAg2YAKCY0hNYsrhirHwqHpN9exykGJhn3wCfbyIW
37 gYYFsd1A4rF6FOni7qg3jdg=
38 =rrmf
39 -----END PGP SIGNATURE-----