An insecure temporary file usage has been reported in GCC-XML allowing for symlink attacks.
Package | dev-cpp/gccxml on all architectures |
---|---|
Affected versions | < 0.9.0_pre20090516 |
Unaffected versions | >= 0.9.0_pre20090516 |
GCC-XML is an XML output extension to the C++ front-end of GCC.
Dmitry E. Oboukhov reported that find_flags in GCC-XML does not handle "/tmp/*.cxx" temporary files securely.
A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application.
There is no known workaround at this time.
All GCC-XML users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-cpp/gccxml-0.9.0_pre20090516"
Release date
September 09, 2009
Latest revision
September 09, 2009: 01
Severity
normal
Exploitable
local
Bugzilla entries