Joined: 12 May 2004
|Posted: Mon Nov 25, 2013 7:26 pm Post subject: [ GLSA 201311-16 ] fcron: Information disclosure
|Gentoo Linux Security Advisory
Title: fcron: Information disclosure (GLSA 201311-16)
Date: November 25, 2013
A vulnerability has been found in fcron, allowing local attackers
to conduct symlink attacks.
fcron is a periodic command scheduler for Unix-based systems
Vulnerable: < 3.0.5-r2
Unaffected: >= 3.0.5-r2
Architectures: All supported architectures
The fcrontab function contains a race condition relating to symlinks.
A local attacker could perform symlink attacks to read arbitrary files
with the privileges of the user running the application.
There is no known workaround at this time.
All fcron users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-process/fcron-3.0.5-r2"