what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Gentoo Linux Security Advisory 200407-1

Gentoo Linux Security Advisory 200407-1
Posted Jul 2, 2004
Authored by Gentoo | Site gentoo.org

Tavis Ormandy has discovered a vulnerability in esearch for Gentoo Linux, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The vulnerability is caused due to the eupdatedb utility creating the temporary file /tmp/esearchdb.py.tmp insecurely. This can be exploited via symlink attacks to create or overwrite arbitrary files with the privileges of the user invoking the utility.

tags | advisory, arbitrary, local
systems | linux, gentoo
SHA-256 | e59e3827b241da0be587c4f5008b80fa8f0fb686c731080a1ab72a5fff0eff55

Gentoo Linux Security Advisory 200407-1

Change Mirror Download
<body style="margin: 0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<table border="0" cellspacing="0" cellpadding="0" width="100%"><tbody><tr>
<td width="99%" class="content" valign="top" align="left">
<br><p class="dochead">Esearch: Insecure temp file handling</p>
<p class="chaphead">
<span class="chapnum"><a name="doc_chap1">1. </a></span>Gentoo Linux Security Advisory</p>
<p class="secthead"><a name="doc_chap1_sect1">Version Information</a></p>
<table class="ntable">
<tbody><tr>
<td bgcolor="#7a5ada" class="infohead"><b>Advisory Reference</b></td>
<td bgcolor="#ddddff" class="tableinfo">GLSA 200407-01 / esearch</td>
</tr>
<tr>
<td bgcolor="#7a5ada" class="infohead"><b>Release Date</b></td>
<td bgcolor="#ddddff" class="tableinfo">July 01, 2004</td>
</tr>
<tr>
<td bgcolor="#7a5ada" class="infohead"><b>Latest Revision</b></td>
<td bgcolor="#ddddff" class="tableinfo">July 01, 2004: 01</td>
</tr>
<tr>
<td bgcolor="#7a5ada" class="infohead"><b>Impact</b></td>
<td bgcolor="#ddddff" class="tableinfo">normal</td>
</tr>
<tr>
<td bgcolor="#7a5ada" class="infohead"><b>Exploitable</b></td>
<td bgcolor="#ddddff" class="tableinfo">local</td>
</tr>
</tbody></table>
<table class="ntable">
<tbody><tr>
<td bgcolor="#7a5ada" class="infohead"><b>Package</b></td>
<td bgcolor="#7a5ada" class="infohead"><b>Vulnerable versions</b></td>
<td bgcolor="#7a5ada" class="infohead"><b>Unaffected versions</b></td>
<td bgcolor="#7a5ada" class="infohead"><b>Architecture(s)</b></td>
</tr>
<tr>
<td bgcolor="#ddddff" class="tableinfo">app-portage/esearch</td>
<td bgcolor="#ddddff" class="tableinfo">
<=
0.6.1</td>
<td bgcolor="#ddddff" class="tableinfo">
>=
0.6.2</td>
<td bgcolor="#ddddff" class="tableinfo">
All supported architectures
</td>
</tr>
</tbody></table>
<p>
Related bugreports:
<a href="http://bugs.gentoo.org/show_bug.cgi?id=55424">#55424</a>
</p>
<p class="secthead"><a name="doc_chap1_sect2">Synopsis</a></p>
The eupdatedb utility in esearch creates a file in /tmp without first
checking for symlinks. This makes it possible for any user to create
arbitrary files.
<p class="chaphead">
<span class="chapnum"><a name="doc_chap2">2. </a></span>Impact Information</p>
<p class="secthead"><a name="doc_chap2_sect1">Background</a></p>
<p>
Esearch is a replacement for the Portage command "emerge search". It uses
an index to speed up searching of the Portage tree.
</p>
<p class="secthead"><a name="doc_chap2_sect2">Description</a></p>
<p>
The eupdatedb utility uses a temporary file (/tmp/esearchdb.py.tmp) to
indicate that the eupdatedb process is running. When run, eupdatedb checks
to see if this file exists, but it does not check to see if it is a broken
symlink. In the event that the file is a broken symlink, the script will
create the file pointed to by the symlink, instead of printing an error and
exiting.
</p>
<p class="secthead"><a name="doc_chap2_sect3">Impact</a></p>
<p>
An attacker could create a symlink from /tmp/esearchdb.py.tmp to a
nonexistent file (such as /etc/nologin), and the file will be created the
next time esearchdb is run.
</p>
<p class="chaphead">
<span class="chapnum"><a name="doc_chap3">3. </a></span>Resolution Information</p>
<p class="secthead"><a name="doc_chap3_sect1">Workaround</a></p>
<p>
There is no known workaround at this time. All users should upgrade to the
latest available version of esearch.
</p>
<p class="secthead"><a name="doc_chap3_sect2">Resolution</a></p>
<p>
All users should upgrade to the latest available version of esearch, as
follows:
</p>
<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody><tr><td class="infohead" bgcolor="#7a5ada"><p class="caption">Code Listing 3.1</p></td></tr>
<tr><td bgcolor="#ddddff"><pre> # emerge sync

# emerge -pv ">=app-portage/esearch-0.6.2"
# emerge ">=app-portage/esearch-0.6.2"</pre></td></tr>
</tbody></table>
<br><br>
</td>
</tr></table>
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close