Portage: Information disclosure — GLSA 200712-11

Portage may disclose sensitive information when updating configuration files.

Affected packages

sys-apps/portage on all architectures
Affected versions < 2.1.3.11
Unaffected versions >= 2.1.3.11

Background

Portage is the default Gentoo package management system.

Description

Mike Frysinger reported that the "etc-update" utility uses temporary files with the standard umask, which results in the files being world-readable when merging configuration files in a default setup.

Impact

A local attacker could access sensitive information when configuration files are being merged.

Workaround

There is no known workaround at this time.

Resolution

All Portage users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.3.11"

References

Release date
December 13, 2007

Latest revision
December 13, 2007: 01

Severity
normal

Exploitable
local

Bugzilla entries