Uploaded image for project: 'Funtoo Linux'
  1. Funtoo Linux
  2. FL-6938

sys-apps/portage: CVE-2019-20384

Details

    • Security Vulnerability
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • Hide
      Portage's /var/tmp/portage tree is accessible by arbitrary users by default. Nearly all the time, the files are not writable by normal users. But sometimes, there are exceptions, which means that for certain ebuilds that create public-writable files and directories, it is possible in some instances to 'inject' things into the build process that will get installed on the system.
      Show
      Portage's /var/tmp/portage tree is accessible by arbitrary users by default. Nearly all the time, the files are not writable by normal users. But sometimes, there are exceptions, which means that for certain ebuilds that create public-writable files and directories, it is possible in some instances to 'inject' things into the build process that will get installed on the system.
    • Show
      CVE-2019-20384 https://bugs.gentoo.org/692492

    Description

      CVE-2019-20384 [21-01-2020]

      Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners.

       

      Affected versions:

      • 2.3.68-r5
      • 2.3.78

      Attachments

        Activity

          People

            Unassigned Unassigned
            d4g33z d4g33z
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: