Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200410-02 ] Netpbm: Multiple temporary file issues
Date: Mon, 04 Oct 2004 17:27:19
Message-Id: 416187A3.5020102@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200410-02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Netpbm: Multiple temporary file issues
9 Date: October 04, 2004
10 Bugs: #65647
11 ID: 200410-02
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Utilities included in old Netpbm versions are vulnerable to multiple
19 temporary files issues, potentially allowing a local attacker to
20 overwrite files with the rights of the user running the utility.
21
22 Background
23 ==========
24
25 Netpbm is a toolkit containing more than 200 separate utilities for
26 manipulation and conversion of graphic images.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 media-libs/netpbm <= 9.12-r4 >= 10.0
35
36 Description
37 ===========
38
39 Utilities contained in the Netpbm package prior to the 9.25 version
40 contain defects in temporary file handling. They create temporary files
41 with predictable names without checking first that the target file
42 doesn't already exist.
43
44 Impact
45 ======
46
47 A local attacker could create symbolic links in the temporary files
48 directory, pointing to a valid file somewhere on the filesystem. When a
49 user or a tool calls one of the affected utilities, this would result
50 in file overwriting with the rights of the user running the utility.
51
52 Workaround
53 ==========
54
55 There is no known workaround at this time.
56
57 Resolution
58 ==========
59
60 All Netpbm users should upgrade to an unaffected version:
61
62 # emerge sync
63
64 # emerge -pv ">=media-libs/netpbm-10.0"
65 # emerge ">=media-libs/netpbm-10.0"
66
67 References
68 ==========
69
70 [ 1 ] CVE-2003-0924
71 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0924
72 [ 2 ] US-CERT VU#487102
73 http://www.kb.cert.org/vuls/id/487102
74
75 Availability
76 ============
77
78 This GLSA and any updates to it are available for viewing at
79 the Gentoo Security Website:
80
81 http://security.gentoo.org/glsa/glsa-200410-02.xml
82
83 Concerns?
84 =========
85
86 Security is a primary focus of Gentoo Linux and ensuring the
87 confidentiality and security of our users machines is of utmost
88 importance to us. Any security concerns should be addressed to
89 security@g.o or alternatively, you may file a bug at
90 http://bugs.gentoo.org.
91
92 License
93 =======
94
95 Copyright 2004 Gentoo Foundation, Inc; referenced text
96 belongs to its owner(s).
97
98 The contents of this document are licensed under the
99 Creative Commons - Attribution / Share Alike license.
100
101 http://creativecommons.org/licenses/by-sa/1.0

Attachments

File name MIME type
signature.asc application/pgp-signature