<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200407-01"> <title>Esearch: Insecure temp file handling</title> <synopsis> The eupdatedb utility in esearch creates a file in /tmp without first checking for symlinks. This makes it possible for any user to create arbitrary files. </synopsis> <product type="ebuild">esearch</product> <announced>2004-07-01</announced> <revised count="02">2006-05-22</revised> <bug>55424</bug> <access>local</access> <affected> <package name="app-portage/esearch" auto="yes" arch="*"> <unaffected range="ge">0.6.2</unaffected> <vulnerable range="le">0.6.1</vulnerable> </package> </affected> <background> <p> Esearch is a replacement for the Portage command "emerge search". It uses an index to speed up searching of the Portage tree. </p> </background> <description> <p> The eupdatedb utility uses a temporary file (/tmp/esearchdb.py.tmp) to indicate that the eupdatedb process is running. When run, eupdatedb checks to see if this file exists, but it does not check to see if it is a broken symlink. In the event that the file is a broken symlink, the script will create the file pointed to by the symlink, instead of printing an error and exiting. </p> </description> <impact type="normal"> <p> An attacker could create a symlink from /tmp/esearchdb.py.tmp to a nonexistent file (such as /etc/nologin), and the file will be created the next time esearchdb is run. </p> </impact> <workaround> <p> There is no known workaround at this time. All users should upgrade to the latest available version of esearch. </p> </workaround> <resolution> <p> All users should upgrade to the latest available version of esearch, as follows: </p> <code> # emerge sync # emerge -pv ">=app-portage/esearch-0.6.2" # emerge ">=app-portage/esearch-0.6.2"</code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0655">CVE-2004-0655</uri> </references> <metadata tag="submitter"> condordes </metadata> </glsa>