Uploaded image for project: 'Funtoo Linux'
  1. Funtoo Linux
  2. FL-6938

sys-apps/portage: CVE-2019-20384

XMLWordPrintable

    • Icon: Security Vulnerability Security Vulnerability
    • Resolution: Fixed
    • Icon: Normal Normal
    • None
    • None
    • Hide
      Portage's /var/tmp/portage tree is accessible by arbitrary users by default. Nearly all the time, the files are not writable by normal users. But sometimes, there are exceptions, which means that for certain ebuilds that create public-writable files and directories, it is possible in some instances to 'inject' things into the build process that will get installed on the system.
      Show
      Portage's /var/tmp/portage tree is accessible by arbitrary users by default. Nearly all the time, the files are not writable by normal users. But sometimes, there are exceptions, which means that for certain ebuilds that create public-writable files and directories, it is possible in some instances to 'inject' things into the build process that will get installed on the system.
    • Hide
      CVE-2019-20384
      https://bugs.gentoo.org/692492
      Show
      CVE-2019-20384 https://bugs.gentoo.org/692492

      CVE-2019-20384 [21-01-2020]

      Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners.

       

      Affected versions:

      • 2.3.68-r5
      • 2.3.78

            Unassigned Unassigned
            d4g33z d4g33z
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: