gnutls: arbitrary file overwrite

ID ASA-201606-10
Type archlinux
Reporter Arch Linux
Modified 2016-06-10T00:00:00


Setuid programs using GnuTLS could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available.