LMBench: Insecure temporary file usage
Gentoo Linux Security Advisory
||GLSA 200909-10 / lmbench
||September 09, 2009
||September 09, 2009: 01
All supported architectures
Multiple insecure temporary file usage issues have been reported in
LMBench, allowing for symlink attacks.
LMBench is a suite of simple, portable benchmarks for UNIX platforms.
Dmitry E. Oboukhov reported that the rccs and STUFF scripts do not
handle "/tmp/sdiff.#####" temporary files securely. NOTE: There might
be further occurances of insecure temporary file usage.
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application.
There is no known workaround at this time.
LMBench has been removed from Portage. We recommend that users unmerge
Code Listing 3.1: Resolution
# emerge --unmerge app-benchmarks/lmbench