sandbox: Insecure temporary file handling — GLSA 200507-22

The sandbox utility may create temporary files in an insecure manner.

Affected Packages

sys-apps/sandbox on all architectures
Affected versions < 1.2.11
Unaffected versions >= 1.2.11

Background

sandbox is a Gentoo Linux utility used by the Portage package management system.

Description

The Gentoo Linux Security Audit Team discovered that the sandbox utility was vulnerable to multiple TOCTOU (Time of Check, Time of Use) file creation race conditions.

Impact

Local users may be able to create or overwrite arbitrary files with the permissions of the root user.

Workaround

There is no known workaround at this time.

Resolution

All sandbox users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/sandbox-1.2.11"

References

Release Date
July 25, 2005

Latest Revision
August 11, 2005: 02

Severity
low

Exploitable
local

Bugzilla entries