Lucene search

Gentoo FoundationGLSA-200712-11

HistoryDec 13, 2007 - 12:00 a.m.

Portage: Information disclosure

2007-12-1300:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

EPSS

Percentile

5.1%

JSON

Background

Portage is the default Gentoo package management system.

Description

Mike Frysinger reported that the “etc-update” utility uses temporary files with the standard umask, which results in the files being world-readable when merging configuration files in a default setup.

Impact

A local attacker could access sensitive information when configuration files are being merged.

Workaround

There is no known workaround at this time.

Resolution

All Portage users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=sys-apps/portage-2.1.3.11"

OSVersionArchitecturePackageVersionFilename
Gentooanyallsys-apps/portage< 2.1.3.11UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	sys-apps/portage	< 2.1.3.11	UNKNOWN

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

EPSS

Percentile

5.1%

JSON

Related for GLSA-200712-11