From aliz@gentoo.org Wed Sep 4 10:58:07 2002 From: Daniel Ahlberg To: full-disclosure@lists.netsys.com Date: Wed, 4 Sep 2002 12:39:10 +0200 Subject: [Full-Disclosure] GLSA: scrollkeeper -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT - - -------------------------------------------------------------------- PACKAGE :scrollkeeper SUMMARY :insecure temporary file creation DATE :2002-09-04 10:30 UTC - - -------------------------------------------------------------------- OVERVIEW The scrollkeeper-get-cl program creates temporary files in an insecure manner in /tmp using guessable filenames. DETAIL The scrollkeeper-get-cl program creates temporary files in an insecure manner in /tmp using guessable filenames. Since scrollkeeper is called automatically when a user logs into a Gnome session, an attacker with local access can easily create and overwrite files as another user. More information can be found at: http://online.securityfocus.com/archive/1/290090/2002-09-01/2002-09-07/0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0662 SOLUTION It is recommended that all Gentoo Linux users who are running app-text/scrollkeeper-0.3.11 and earlier update their systems as follows: emerge rsync emerge scrollkeeper emerge clean - - -------------------------------------------------------------------- aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz - - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9deLOfT7nyhUpoZMRAqFCAKDD/EQNROq9aNCwmtBiZlG8qYyM8ACgl36k cw3INUdcdWE381oJP/gXvQg= =fII2 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html