-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT - - -------------------------------------------------------------------- PACKAGE :scrollkeeper SUMMARY :insecure temporary file creation DATE :2002-09-04 10:30 UTC - - -------------------------------------------------------------------- OVERVIEW The scrollkeeper-get-cl program creates temporary files in an insecure manner in /tmp using guessable filenames. DETAIL The scrollkeeper-get-cl program creates temporary files in an insecure manner in /tmp using guessable filenames. Since scrollkeeper is called automatically when a user logs into a Gnome session, an attacker with local access can easily create and overwrite files as another user. More information can be found at: http://online.securityfocus.com/archive/1/290090/2002-09-01/2002-09-07/0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0662 SOLUTION It is recommended that all Gentoo Linux users who are running app-text/scrollkeeper-0.3.11 and earlier update their systems as follows: emerge rsync emerge scrollkeeper emerge clean - - -------------------------------------------------------------------- alizat_private - GnuPG key is available at www.gentoo.org/~aliz - - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9deLIfT7nyhUpoZMRApU7AJwN7/4Dxd8VGAl22Hzl3nhAqacKOgCgxAKS STYwVuRPVyXmLn4eNGzd2p0= =HfLu -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 08:40:43 PDT