GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Jan 09, 2008 10:26 pm Post subject: [ GLSA 200801-03 ] Claws Mail: Insecure temporary file creat |
 |
|
Gentoo Linux Security Advisory
Title: Claws Mail: Insecure temporary file creation (GLSA 200801-03)
Severity: normal
Exploitable: local
Date: January 09, 2008
Bug(s): #201244
ID: 200801-03
Synopsis
Claws Mail uses temporary files in an insecure manner, allowing for a symlink attack.
Background
Claws Mail is a GTK based e-mail client.
Affected Packages
Package: mail-client/claws-mail
Vulnerable: < 3.0.2-r1
Unaffected: >= 3.0.2-r1
Architectures: All supported architectures
Description
Nico Golde from Debian reported that the sylprint.pl script that is part of the Claws Mail tools creates temporary files in an insecure manner.
Impact
A local attacker could exploit this vulnerability to conduct symlink attacks to overwrite files with the privileges of the user running Claws Mail.
Workaround
There is no known workaround at this time.
Resolution
All Claws Mail users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/claws-mail-3.0.2-r1" |
References
CVE-2007-6208 |
|
News & Announcements
