Gentoo Archives: gentoo-announce

From:	aliz@gentoo.org (Daniel Ahlberg)
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] GLSA: semi (200308-02)
Date:	Fri, 15 Aug 2003 06:58:17
Message-Id:	`20030814193029.B5D209FBE4@noc.internal.fairytale.se`

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - ---------------------------------------------------------------------
5	GENTOO LINUX SECURITY ANNOUNCEMENT 200308-02
6	- - - ---------------------------------------------------------------------
7
8	PACKAGE : semi
9	SUMMARY : insecure temporary files creation
10	DATE : 2003-08-14 19:30 UTC
11	EXPLOIT : local
12	VERSIONS AFFECTED : <semi-1.14.5-r1
13	FIXED VERSION : >=semi-1.14.5-r1
14	CVE : CAN-2003-0440
15
16	- - - ---------------------------------------------------------------------
17
18	quote from CVE:
19
20	"The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and
21	possibly other versions, allows local users to overwrite arbitrary files
22	via a symlink attack on temporary files."
23
24	SOLUTION
25
26	It is recommended that all Gentoo Linux users who are running
27	app-emacs/semi upgrade to semi-1.14.5-r1 as follows
28
29	emerge sync
30	emerge semi
31	emerge clean
32
33	- - - ---------------------------------------------------------------------
34	aliz@g.o - GnuPG key is available at http://dev.gentoo.org/~aliz
35	usata@g.o
36	- - - ---------------------------------------------------------------------
37	-----BEGIN PGP SIGNATURE-----
38	Version: GnuPG v1.2.2 (GNU/Linux)
39
40	iD8DBQE/O+NVfT7nyhUpoZMRAlo0AJ0ZwAWeNbss87RYJ5UaSvHXkF3n7wCfbZTw
41	eDaHCxhEc1WGSEoQpcL+/J8=
42	=ThD4
43	-----END PGP SIGNATURE-----