From Mageia wiki
Jump to: navigation, search

MGASA-2012-0316

Date: October 29th, 2012
Affected releases: 1, 2


Description:
Updated rpmdevtools package fixes security vulnerability:

A TOCTOU race condition was found in the way 'annotate-output' (used to
execute a program annotating the output linewise with time and stream) tool
of rpmdevtools before 8.3 performed management of its temporary files used
for standard output and standard error output. A local attacker could use
this flaw to conduct symbolic link attacks, possibly leading to their
ability in an unauthorized way to alter files belonging to the user running
the 'annotate-output' tool (CVE-2012-3500).


Updated Packages:
Mageia 1:
rpmdevtools-8.3-1.mga1

Mageia 2:
rpmdevtools-8.3-1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3500
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086138.html
https://bugs.mageia.org/show_bug.cgi?id=7465