1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200804-09 / am-utils |
| Release Date | April 10, 2008 |
| Latest Revision | April 10, 2008: 01 |
| Impact | normal |
| Exploitable | local |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| net-fs/am-utils | < 6.1.5 | >= 6.1.5 | All supported architectures |
Related bugreports: #210158
am-utils creates temporary files insecurely allowing local users to overwrite arbitrary files via a symlink attack.
am-utils is a collection of utilities for use with the Berkeley Automounter.
Tavis Ormandy discovered that, when creating temporary files, the 'expn' utility does not check whether the file already exists.
A local attacker could exploit the vulnerability via a symlink attack to overwrite arbitrary files.
There is no known workaround at this time.
All am-utils users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=net-fs/am-utils-6.1.5" |