Info

Disclosure

Jul 01, 2004

Discovery

Jun 28, 2004

Dates

Exploit

Unknown

Solution

Unknown

Description

esearch contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when eupdatedb creates a file in /tmp without first checking for the existence of a link. This flaw may lead to a loss of Confidentiality, Integrity and/or Availability.

Classification

Location: Local Access Required
Attack Type: Race Condition
Impact: Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Upgrade to version 0.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Gentoo Foundation, Inc.	esearch	0.6.1
		0.6.2

References

Bugtraq ID: 10644
Secunia Advisory ID: 11991
ISS X-Force ID: 16584
CVE ID: 2004-0655 (see also: NVD)
Other Advisory URL: http://security.gentoo.org/glsa/glsa-200407-01.xml
Mail List Post: http://www.securityfocus.com/archive/1/367864/2004-06-30/2004-07-06/0

Credit

Tavis Ormandy - tavisogoogle.com - Google Information Security Team

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Gentoo Foundation, Inc.

esearch

References

Credit