[ GLSA 200909-10 ] LMBench: Insecure temporary file usage

[GLSA]

Gentoo Linux Security Advisory

Title: LMBench: Insecure temporary file usage (GLSA 200909-10)
Severity: normal
Exploitable: local
Date: September 09, 2009
Bug(s): #246015
ID: 200909-10

Synopsis


Multiple insecure temporary file usage issues have been reported in
LMBench, allowing for symlink attacks.


Background


LMBench is a suite of simple, portable benchmarks for UNIX platforms.


Affected Packages

Package: app-benchmarks/lmbench
Vulnerable: <= 3
Architectures: All supported architectures


Description


Dmitry E. Oboukhov reported that the rccs and STUFF scripts do not
handle "/tmp/sdiff.#####" temporary files securely. NOTE: There might
be further occurances of insecure temporary file usage.


Impact


A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application.


Workaround


There is no known workaround at this time.


Resolution


LMBench has been removed from Portage. We recommend that users unmerge
LMBench: