Gentoo Archives: gentoo-commits

From: "Matthias Geerdsen (vorlon)" <vorlon@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200709-08.xml
Date: Sat, 15 Sep 2007 15:48:51
vorlon      07/09/15 15:41:24

  Added:                glsa-200709-08.xml
  GLSA 200709-08

Revision  Changes    Path
1.1                  xml/htdocs/security/en/glsa/glsa-200709-08.xml

file :

Index: glsa-200709-08.xml
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

<glsa id="200709-08">
  <title>id3lib: Insecure temporary file creation</title>
    A vulnerability has been discovered in id3lib allowing local users to
    overwrite arbitrary files via a symlink attack.
  <product type="ebuild">id3lib</product>
  <announced>September 15, 2007</announced>
  <revised>September 15, 2007: 01</revised>
    <package name="media-libs/id3lib" auto="yes" arch="*">
      <unaffected range="ge">3.8.3-r6</unaffected>
      <vulnerable range="lt">3.8.3-r6</vulnerable>
    id3lib is an open-source, cross-platform software development library
    for reading, writing, and manipulating ID3v1 and ID3v2 tags.
    Nikolaus Schulz discovered that the function RenderV2ToFile() in file
    src/tag_file.cpp creates temporary files in an insecure manner.
  <impact type="normal">
    A local attacker could exploit this vulnerability via a symlink attack
    to overwrite arbitrary files.
    There is no known workaround at this time.
    All id3lib users should upgrade to the latest version:
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=media-libs/id3lib-3.8.3-r6&quot;</code>
    <uri link="">CVE-2007-4460</uri>
  <metadata tag="submitter" timestamp="Thu, 13 Sep 2007 20:50:09 +0000">
  <metadata tag="bugReady" timestamp="Fri, 14 Sep 2007 08:35:20 +0000">

gentoo-commits@g.o mailing list