GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sat Jul 03, 2021 4:26 am Post subject: [ GLSA 202107-03 ] libqb |
 |
|
Gentoo Linux Security Advisory
Title: libqb: Insecure temporary file (GLSA 202107-03)
Severity: high
Exploitable: local
Date: 2021-07-03
Bug(s): #699860
ID: 202107-03
Synopsis
An insecure temporary file usage has been reported in libqb
possibly allowing local code execution.
Background
libqb is a library with the primary purpose of providing
high-performance, reusable features for client-server architecture, such
as logging, tracing, inter-process communication (IPC), and polling.
Affected Packages
Package: sys-cluster/libqb
Vulnerable: < 1.0.5
Unaffected: >= 1.0.5
Architectures: All supported architectures
Description
It was discovered that libqb used predictable filenames (under /dev/shm
and /tmp) without O_EXCL.
Impact
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application linked
against libqb.
Workaround
There is no known workaround at this time.
Resolution
All libqb users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/libqb-1.0.5"
|
References
CVE-2019-12779 |
|
News & Announcements
