GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Aug 07, 2005 7:15 am Post subject: [ GLSA 200508-05 ] Heartbeat: Insecure temporary file creati |
 |
|
Gentoo Linux Security Advisory
Title: Heartbeat: Insecure temporary file creation (GLSA 200508-05)
Severity: normal
Exploitable: local
Date: August 07, 2005
Bug(s): #97175
ID: 200508-05
Synopsis
Heartbeat is vulnerable to symlink attacks, potentially allowing a local
user to overwrite arbitrary files.
Background
Heartbeat is a component of the High-Availability Linux project.
It it used to perform death-of-node detection, communications and
cluster management.
Affected Packages
Package: sys-cluster/heartbeat
Vulnerable: < 1.2.3-r1
Unaffected: >= 1.2.3-r1
Architectures: All supported architectures
Description
Eric Romang has discovered that Heartbeat insecurely creates
temporary files with predictable filenames.
Impact
A local attacker could create symbolic links in the temporary file
directory, pointing to a valid file somewhere on the filesystem. When a
vulnerable script is executed, this could lead to the file being
overwritten with the rights of the user running the affected
application.
Workaround
There is no known workaround at this time.
Resolution
All Heartbeat users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/heartbeat-1.2.3-r1" |
References
CAN-2005-2231
Last edited by GLSA on Wed Feb 15, 2012 4:20 am; edited 7 times in total |
|
News & Announcements
