pmake: Insecure temporary file usage — GLSA 201310-17

pmake uses temporary files in an insecure manner, allowing for symlink attacks.

Affected packages

sys-devel/pmake on all architectures
Affected versions < 1.111.3.1
Unaffected versions >= 1.111.3.1

Background

pmake is Debian’s version of NetBSD’s make, a tool to build programs in parallel.

Description

/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary files insecurely, with predictable names (/tmp/_depend[PID]), and without using $TMPDIR.

Impact

The make include files allow local users to overwrite arbitrary files via a symlink attack.

Workaround

There is no known workaround at this time.

Resolution

All pmake users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-devel/pmake-1.111.3.1"
 

References

Release date
October 28, 2013

Latest revision
October 28, 2013: 2

Severity
low

Exploitable
local

Bugzilla entries