• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Focus On: Vista
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns

scrollkeeper
2002-09-04
Published: 2002-09-04 15:28:07
Updated: 2002-09-04 15:28:07

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE        :scrollkeeper
SUMMARY        :insecure temporary file creation
DATE           :2002-09-04 10:30 UTC

- - --------------------------------------------------------------------

OVERVIEW

The scrollkeeper-get-cl program
creates temporary files in an insecure manner in /tmp using guessable
filenames.

DETAIL

The scrollkeeper-get-cl program creates temporary files in an insecure
manner in /tmp using guessable filenames.
Since scrollkeeper is called automatically when a user logs into a Gnome
session, an attacker with local access can easily create and overwrite
files as another user.

More information can be found at:

http://online.securityfocus.com/archive/1/290090/2002-09-01/2002-09-07/0
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0662

SOLUTION

It is recommended that all Gentoo Linux users who are running
app-text/scrollkeeper-0.3.11 and earlier update their systems
as follows:

emerge rsync
emerge scrollkeeper
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------