eix: Insecure temporary file creation
Gentoo Linux Security Advisory
||GLSA 200511-19 / eix
||November 22, 2005
||May 22, 2006: 02
All supported architectures
eix has an insecure temporary file creation vulnerability, potentially
allowing a local user to overwrite arbitrary files.
eix is a small utility for searching ebuilds with indexing for fast
Eric Romang discovered that eix creates a temporary file with a
predictable name. eix creates a temporary file in /tmp/eix.*.sync where
* is the process ID of the shell running eix.
A local attacker can watch the process list and determine the process
ID of the shell running eix while the "emerge --sync" command is
running, then create a link from the corresponding temporary file to a
system file, which would result in the file being overwritten with the
rights of the user running the application.
There is no known workaround at this time.
All eix users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose app-portage/eix