1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200712-11 / portage |
| Release Date | December 13, 2007 |
| Latest Revision | December 13, 2007: 01 |
| Impact | normal |
| Exploitable | local |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| sys-apps/portage | < 2.1.3.11 | >= 2.1.3.11 | All supported architectures |
Related bugreports: #193589
Portage may disclose sensitive information when updating configuration files.
Portage is the default Gentoo package management system.
Mike Frysinger reported that the "etc-update" utility uses temporary files with the standard umask, which results in the files being world-readable when merging configuration files in a default setup.
A local attacker could access sensitive information when configuration files are being merged.
There is no known workaround at this time.
All Portage users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.3.11" |