TkMan: Insecure temporary file usage
Gentoo Linux Security Advisory
||GLSA 200909-07 / tkman
||September 09, 2009
||September 09, 2009: 01
All supported architectures
An insecure temporary file usage has been reported in TkMan, allowing for
TkMan is a graphical, hypertext manual page and Texinfo browser for
Dmitry E. Oboukhov reported that TkMan does not handle the
"/tmp/tkman#####" and "/tmp/ll" temporary files securely.
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application.
There is no known workaround at this time.
All TkMan users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/tkman-2.2-r1"