SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Portage Vendors:   Gentoo
Gentoo Portage 'dispatch-conf' Uses Unsafe Temporary File That Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1012108
SecurityTracker URL:  http://securitytracker.com/id/1012108
CVE Reference:   CVE-2004-1107   (Links to External Site)
Updated:  Dec 1 2004
Original Entry Date:  Nov 8 2004
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.51-r2 and prior versions
Description:   A temporary file vulnerability was reported in Gentoo's Portage package management system in 'dispatch-conf'. A local user can delete or overwrite arbitrary files on the target system.

It is reported that dispatch-conf creates a temporary file in '/tmp' in an insecure manner. A local user can create a symbolic link (symlink) from a critical file on the system to the predictable temporary filename. Then, when a target user runs dispatch-conf, the symlinked file will be created or overwritten by dispatch-conf with the privileges of the target user, which may be root privileges.

Impact:   A local user can delete or overwrite arbitrary directories and files on the target system.
Solution:   Gentoo has issued a fix and indicates that all Portage users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-2.0.51-r3"

Vendor URL:  www.gentoo.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Gentoo)

Message History:   None.


 Source Message Contents

Subject:  [gentoo-announce] [ GLSA 200411-13 ] Portage, Gentoolkit: Temporary file vulnerabilities


--nextPart50002346.Np4PPNIyga
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                        GLSA 200411-13:01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Portage, Gentoolkit: Temporary file vulnerabilities
      Date: November 07, 2004
      Bugs: #68846, #69147
        ID: 200411-13:01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

dispatch-conf (included in Portage) and qpkg (included in Gentoolkit)
are vulnerable to symlink attacks, potentially allowing a local user
to overwrite arbitrary files with the rights of the user running the
script.

Background
==========

Portage is Gentoo's package management tool. The dispatch-conf utility
allows for easy rollback of configuration file changes and automatic
updates of configurations files never modified by users. Gentoolkit is
a collection of Gentoo specific administration scripts, one of which is
the portage querying tool qpkg.

Affected packages
=================

    -------------------------------------------------------------------
     Package                 /    Vulnerable    /           Unaffected
    -------------------------------------------------------------------
  1  sys-apps/portage            <= 2.0.51-r2             >= 2.0.51-r3
  2  app-portage/gentoolkit     <= 0.2.0_pre10       >= 0.2.0_pre10-r1
                                                     *>= 0.2.0_pre8-r1
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

dispatch-conf and qpkg use predictable filenames for temporary files.

Impact
======

A local attacker could create symbolic links in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When
an affected script is called, this would result in the file to be
overwritten with the rights of the user running the dispatch-conf or
qpkg, which could be the root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Portage users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-apps/portage-2.0.51-r3"

All Gentoolkit users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-portage/gentoolkit-0.2.0_pre8-r1"

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200411-13.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

--nextPart50002346.Np4PPNIyga
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBBjmtTzKC5hMHO6rkRAka0AKCQ035VRGjdcEuBKyFoJbUj/3j7JACfXJwl
me6GMHmfXiC/KvmjP0h2kmE=
=z7AB
-----END PGP SIGNATURE-----

--nextPart50002346.Np4PPNIyga--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC